[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

RE: bad security setting for win32 tor service

You can also have Tor install the service as the NT AUTHORITY\LocalService account. This patch on does so:

--- main.c.orig 2005-08-04 18:45:20.000000000 -0400
+++ main.c      2005-08-19 09:15:47.000000000 -0400
@@ -77,6 +77,7 @@
 #define GENSRV_DISPLAYNAME  TEXT("Tor Win32 Service")
 #define GENSRV_DESCRIPTION  TEXT("Provides an anonymous Internet communication system")
+#define GENSRV_USERACCT     TEXT("NT AUTHORITY\\LocalService")

 // Cheating: using the pre-defined error codes, tricks Windows into displaying
 //           a semi-related human-readable error message if startup fails as
@@ -1767,7 +1768,7 @@
   if ((hService = CreateService(hSCManager, GENSRV_SERVICENAME, GENSRV_DISPLAYNAME,
                                 SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
                                 SERVICE_AUTO_START, SERVICE_ERROR_IGNORE, command,
-                                NULL, NULL, NULL, NULL, "")) == NULL) {
+                                NULL, NULL, NULL, GENSRV_USERACCT, "")) == NULL) {
     errmsg = nt_strerror(GetLastError());
     printf("CreateService() failed : %s\n", errmsg);

-----Original Message-----
From: owner-or-talk@xxxxxxxxxxxxx on behalf of Carsten Krüger
Sent: Thu 8/18/2005 9:05 PM
To: or-talk@xxxxxxxx
Subject: bad security setting for win32 tor service

the default install of win32 tor service is bad.
tor -install create the service that it runs with SYSTEM-privileges
(highest possible privilege level on win32 (more than administrator))
Nobody would run tor daemon on *nix with root-privileges.

short document about Service account permissions:

Tor works fine as user LocalService.

tor.exe didn't find:
C:\Documents and Settings\LocalService\Application Data\Tor\torrc
c:\Program Files\Tor\torrc

I defined the log directory in torrc this way:
Log notice file C:\Documents and Settings\LocalService\Application Data\Tor\notices.log
and changed the account for the service:
Windows Registry Editor Version 5.00

"ObjectName"="NT AUTHORITY\\LocalService"

(0. "tor -install" if tor is not installed)
1. run "regedit /s tor_service.reg" to merge this regfile silent
2. stop tor-service "sc stop tor"
3. start tor-service again "sc start tor" and it runs within the localservice account