bad security setting for win32 tor service

Edman, Matt Matt_Edman at baylor.edu
Fri Aug 19 13:20:46 UTC 2005 

You can also have Tor install the service as the NT AUTHORITY\LocalService account. This patch on 0.1.1.5-alpha does so:

--- main.c.orig 2005-08-04 18:45:20.000000000 -0400
+++ main.c      2005-08-19 09:15:47.000000000 -0400
@@ -77,6 +77,7 @@
 #define GENSRV_SERVICENAME  TEXT("tor")
 #define GENSRV_DISPLAYNAME  TEXT("Tor Win32 Service")
 #define GENSRV_DESCRIPTION  TEXT("Provides an anonymous Internet communication system")
+#define GENSRV_USERACCT     TEXT("NT AUTHORITY\\LocalService")

 // Cheating: using the pre-defined error codes, tricks Windows into displaying
 //           a semi-related human-readable error message if startup fails as
@@ -1767,7 +1768,7 @@
   if ((hService = CreateService(hSCManager, GENSRV_SERVICENAME, GENSRV_DISPLAYNAME,
                                 SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
                                 SERVICE_AUTO_START, SERVICE_ERROR_IGNORE, command,
-                                NULL, NULL, NULL, NULL, "")) == NULL) {
+                                NULL, NULL, NULL, GENSRV_USERACCT, "")) == NULL) {
     errmsg = nt_strerror(GetLastError());
     printf("CreateService() failed : %s\n", errmsg);
     CloseServiceHandle(hSCManager);



-----Original Message-----
From: owner-or-talk at freehaven.net on behalf of Carsten Krüger
Sent: Thu 8/18/2005 9:05 PM
To: or-talk at seul.org
Subject: bad security setting for win32 tor service
 
Hello,

the default install of win32 tor service is bad.
tor -install create the service that it runs with SYSTEM-privileges
(highest possible privilege level on win32 (more than administrator))
Nobody would run tor daemon on *nix with root-privileges.

short document about Service account permissions:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/datacenter/proddocs/en-us/sys_srv_permissions.asp

Tor works fine as user LocalService.

tor.exe didn't find:
C:\Documents and Settings\LocalService\Application Data\Tor\torrc
but
c:\Program Files\Tor\torrc
worked

I defined the log directory in torrc this way:
Log notice file C:\Documents and Settings\LocalService\Application Data\Tor\notices.log
and changed the account for the service:
-----------------------------tor_service.reg-----------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tor]
"ObjectName"="NT AUTHORITY\\LocalService"
-----------------------------tor_service.reg-----------------------------------

(0. "tor -install" if tor is not installed)
1. run "regedit /s tor_service.reg" to merge this regfile silent
2. stop tor-service "sc stop tor"
3. start tor-service again "sc start tor" and it runs within the localservice account

greetings
Carsten


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 3967 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20050819/7f4604af/attachment.bin>

More information about the tor-talk mailing list