Opened 11 months ago

Last modified 3 months ago

#2682 open defect

Don't run Windows Service as System user

Reported by: zzz Owned by:
Priority: minor Milestone: undecided
Component: installer Version: 0.9.44
Keywords: install, windows Cc: idk
Parent Tickets: #600 Sensitive: no

Description

Via @agowa338 Klaus Frank on Twitter

  • Does your windows version really need to run as system user?
  • Good q. This is only when running as a service. Is there a way to run a service as a different user?
  • yes, a service can be run within eithet a service user or any other users context. and if the computer is a domain member there are also group managed service accounts.

https://docs.microsoft.com/de-de/windows/security/identity-protection/access-control/service-accounts#bkmk-virtualserviceaccounts
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd548356(v=ws.10)?redirectedfrom=MSDN#using-virtual-accounts

Subtickets

Change History (2)

comment:1 Changed 4 months ago by aargh

Keywords: install windows added
Status: newopen
Summary: Don't run WIndows Service as System userDon't run Windows Service as System user

comment:2 Changed 3 months ago by zzz

Cc: idk added
Parent Tickets: 600

This will also fix #600
We would have to migrate file permissions for existing installs if we do have a fix.
The "virtual account" system does sound like the right approach. But perhaps izpack has a facility for this?
The install_i2p_service_winnt.bat and set_config_dir_for_nt_service.bat files are possible places to put any fix.
Unfortunately this is far beyond what I'm capable of right now…

Note: See TracTickets for help on using tickets.