[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

RE: bad security setting for win32 tor service

> Matt -- I'd like to accept a patch like this.  Can you explain to me
> what it would do for Tor's storage, though?  J Random User shouldn't
> be able to read Tor's private keys -- can this happen if Tor runs as
> "NT AUTHORITY\LocalService" ?  If so, what is the real solution?

If the service is set to run as LocalService, other limited
users should not be able to see its data directory.

I know the subject of what location is best for Tor to use as its
default data directory on Windows has been discussed at least once
or twice, but I don't believe a satisfactory solution was determined.

This becomes a problem when someone sets up their server while
running non-service Tor, then installs Tor as a service, and
then things break because Tor is now using LocalService\App Data
instead of UserName\App Data. Similarly, if someone sets 
up their server while running the Tor service as LocalService, 
and then wants to run it as non-service Tor, non-service 
Tor wouldn't know to look in (and wouldn't be able to read) 
LocalService\App Data.

It seems that Tor would have to use All Users\App Data for Tor
to be able to switch seamlessly between service and non-service
Tor. Of course, this would be bad because then all users would 
be able to read the server's private keys.

Is it acceptable to say "run Tor either as a service or as a normal
console app. If you want to switch back and forth, you're on 
your own?" If so, I think it would be safe to say that if you're
running Tor as a service, then Tor will use LocalService\App Data
for everything (including the torrc file). Else, Tor will use
UserName\App Data for everything (including the torrc file).