Opened 5 years ago

Last modified 18 months ago

#10027 new defect

Tor Windows service should be installed with the NetworkService account

Reported by: arma Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-relay win32 nt-service
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

<GITNE> nickm: I have checked running Tor under the NetworkService account.
Works fine. The problem I had the last time was a missing write permission on
the log file.
<GITNE> nickm: So it should probably be safe to change GENSRV_USERACCT to "NT
AUTHORITY\NetworkService"
> gitne: was that because the log file was trying to go somewhere it
shouldn't? or what
> gitne: also, does that change work for every windows, or only some of them?
<GITNE> armadev: those three predefinded accounts LocalSystem, LocalService,
and NetworkService are available since Windows 2000 so Tor should be safe
with that.

Child Tickets

Change History (9)

comment:1 Changed 5 years ago by arma

Summary: Tor-as-Windows-service uses the wrong user privilegesTor Windows services should be installed with the NetworkService account

comment:2 Changed 5 years ago by GITNE

Summary: Tor Windows services should be installed with the NetworkService accountTor Windows service should be installed with the NetworkService account

comment:3 Changed 5 years ago by GITNE

This defect should be resolved by the same changeset or be part of the same milestone as #7956 because both tickets have equal side effects. See comment about a possible migration path.

Last edited 5 years ago by GITNE (previous) (diff)

comment:4 Changed 5 years ago by nickm

Milestone: Tor: 0.2.5.x-finalTor: 0.2.???

comment:5 Changed 3 years ago by bugzilla

Severity: Normal

Why is it a defect?
Why NetworkService? It's not about the network. It's "Microsoft network" ( or domain).

LocalService vs NetworkService:
The principals differ in how they handle a service's attempts to access resources on other Windows computers on the network. A service running under NetworkService is authenticated to other computers on the network by using the computer's account in the domain.
(ref.: windowsitpro.com/systems-management/understanding-local-service-and-network-service-accounts)

It has minimum privileges on the local computer and acts as the computer on the network... A service that runs in the context of the NetworkService account presents the computer's credentials to remote Windows servers. (official: https://msdn.microsoft.com/en-us/library/windows/desktop/ms684272%28v=vs.85%29.aspx)

comment:6 Changed 2 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:7 Changed 2 years ago by nickm

Keywords: tor-03-unspecified-201612 added
Milestone: Tor: 0.3.???Tor: unspecified

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

comment:8 Changed 18 months ago by nickm

Keywords: tor-03-unspecified-201612 removed

Remove an old triaging keyword.

comment:9 Changed 18 months ago by nickm

Keywords: win32 nt-service added
Note: See TracTickets for help on using tickets.