View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0002330 | unreal | installing | public | 2005-02-11 10:45 | 2019-11-11 10:04 |
| Reporter | skyflash | Assigned To | syzop | ||
| Priority | normal | Severity | feature | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Platform | Intel Celeron 2.4 GHz 512MB | OS | Windows 2003 STD | OS Version | RTM |
| Product Version | 3.2.2 | ||||
| Fixed in Version | 5.0.0-rc1 | ||||
| Summary | 0002330: [Win32] Not possible to install IRCD as a service run by a non-privileged user | ||||
| Description | When the IRCD is NOT set to either run under LOCALSYSTEM or as a member of the Administrators group, it will fail to start as a service by timing out, no error messages will be logged. It will set its working directory to windows/system32 and look there for unrealircd.conf and all other relative paths. Multiple tries were made, even if the non-priv user account owns the whole directory tree up to the IRCD folder, it will not work. The non-priv user was given all local security policy settings that the Administrator had, to no avail. Several other services were treated with the same procedure, and worked flawlessly running under a non-priv user, (Apache2, FileZillaServer, hMailserver, Privoxy, some self programmed one) so it must be something special with unrealircd. | ||||
| Steps To Reproduce | 1. Install as a service normally. 2. Change account setting in Services admin to LOCALSERVICE or any other non-admin / non-localsystem user. 3. Make sure the path to the IRCD is accessible by the used account. 4. Start the service. 5. Observe it timeout without error message whatsoever. | ||||
| Additional Information | It would be nice to have a command line option to supply a working directory to the IRCD, and an option in the config file to do the same. However, that may not fix the bug. The bug may be more than just the not working directory not being set. There should be some kind of logging when starting the service, maybe enable it with another command line option. | ||||
| Tags | No tags attached. | ||||
| Attached Files | |||||
| 3rd party modules | |||||
|
|
[quote]It would be nice to have a command line option to supply a working directory to the IRCD, and an option in the config file to do the same.[/quote] There is, the -d command line argument will allow you to specify the directory. As for in the config file, that's simply not possible. Without knowing the working directory, Unreal has no way of finding the configuration problem. Therefore, this option would be useless. [quote]There should be some kind of logging when starting the service, maybe enable it with another command line option.[/quote] There already is. Unreal will create a service.log file. Apparently this file will be in C:\windows\system32 since that is the current working directory. Let me know if this helps. |
|
|
Alright, I tested it again, to see if I missed something... but that wasn't the case. The -d option, although working just fine if I run under Administrators group or LOCALSYSTEM account, fails to set the working dir under any non-priv account. I had a file monitor running and I was able to see how the ircd correctly switched the working dir on startup using the -d option the first time, and then fails to do anything the second time. I don't think the problem is that the ircd doesn't know what the working dir should be, I think the problem is that it lacks the ability to switch to it for some reason i do not see. Screwed up permissions? However, i tried allowing EVERYTHING for the user account its running on, and it didnt work. There must be something special with the Administrators group that no other account has, even if beefed up in local security policies to have the same abilities as an Administrator, and even if the whole harddisk is owned by it. The service.log file never gets created, the ircd fails before that. There is no log file in system32, nor anywhere else. Yes, I set permission for the ircd to write in the system dir, but even if not, I had a file monitor running for all my tests and can see the ircd is not trying to open it. Sorry, still does not work. ;) I think though this can be replicated by anyone, so it should be easy for you to see the bug in action... or missing feature, however you wanna call it. :P Or maybe I am just doing something terribly wrong... |
|
|
I used to have Unreal working as a non-administrator, as I do Apache, FileZilla Server and a few others. I'm using Windows 2000 Professional SP4. I'm fairly sure it was working with 3.2.3 SSL. I upgraded to 3.2.5 and as I couldn't find the password to the restricted account I had for Unreal, set up a new account, and everything stopped working. I am having exactly the same symptoms as skyflash, and have tried on a clean Virtual PC image, with the same problem. When I run wircd.exe as the restricted account, the server functions normally, but when run as a service it doesn't start. The only error I can find is in the Security Event log: Object Open: Object Server: SC Manager Object Type: SC_MANAGER OBJECT Object Name: ServicesActive New Handle ID: - Operation ID: {0,2515394} Process ID: 712 Primary User Name: COCONUT$ Primary Domain: PASCO Primary Logon ID: (0x0,0x3E7) Client User Name: <Unreal IRC user account> Client Domain: COCONUT Client Logon ID: (0x0,0x254C3F) Accesses READ_CONTROL Connect to service controller Lock service database for exclusive access Privileges - |
|
|
It's no bug Unreal. " Only processes with Administrator privileges are able to open handles to the SCM that can be used by the CreateService and LockServiceDatabase functions." ©MSDN If you want to run Unreal by non-privileged user, you must give him "Log on as a service" right. - http://www.greyware.com/software/rum/rights.asp |
|
|
I have granted the IRCD user permission to log on as a service - should Unreal even need to lock the service database for exclusive access? |
|
|
I, too, have granted it permission to log on as a service. This happens automatically btw, if you use the GUI interface to admin the service. |
|
|
patch provided by BuHHunyx. Service don't run, cos path don't be set to currect directory and wircd.exe don't find config file. Grant permission to user run service: subinacl /SERVICE "UnrealIRCd" /GRANT=user=X Don't forget give permissions on NTFS volume for user. EDIT: typo |
|
|
not worked now, but we will try! |
|
|
patch provided by BuHHunyx. Service don't run, cos path don't be set to currect directory and wircd.exe don't find config file. Grant permission to user run service: subinacl /SERVICE "UnrealIRCd" /GRANT=user=X Don't forget give permissions on NTFS volume for user. 2 syzop: I've check it!!! And it's work! On good there in general all work with service must be rewritten © BuHHunyx |
|
|
It seems error checking is gone in this patch (forgot to move?), something like that should have been moved as well. Anyway, this would be for after 3.2.6, so no hurry ;) |
|
|
Bump. Still an issue? |
|
|
Yes, still an issue... still not possible to run Unreal other than as an Administrator. There is something seriously flawed within the service code. |
|
|
Confirmed that it's still an issue in 3.2.6. |
|
|
Yep. This bug still exists. Disappointing, really, since I had everything working on my new install. I won't run UnrealIRCd if it requires LocalSystem... Hope you folks get this fixed. |
|
|
Fixed in .726: - Win32: Made UnrealIRCd run as a service under non-privileged accounts (ones that do not belong to the Administrator group). Reported by skyflash, Bock, zer, etc... Thanks to BuHHunyx for some hints on how to fix this. |
|
|
This patch has been REVERSED, as it causes an annoying 15s delay when booting wircd in non-services mode. Since this isn't release-critical I'm not going to waste any further time on this... For those interested, this was the patch: http://cvs.unrealircd.com/cgi/viewcvs.cgi/unreal/src/win32/Attic/gui.c.diff?search=None&hideattic=1&r2=1.1.2.6&only_with_tag=unreal3_2_fixes&r1=1.1.2.5&diff_format=u I probably shouldn't have started on this in the first place.. as it already delayed the RC by one day... |
|
|
It would be worth looking into this for 4.2.4 (not 4.2.3). Even though nobody showed any interest in the past 10 years... it is just silly and not offering the option to run as a different user (bit like running as root) is rather insecure... even though Windows security is pretty useless once you can execute code, but okay.. This was the original patch: https://github.com/unrealircd/unrealircd/commit/a77b8c4da25fac5c1b16f039d05bbc274ecbd818 |
|
|
At least 1 person showed interest last week, on the forums. Added to UnrealIRCd 5 TODO list. |
|
|
pull request at https://github.com/unrealircd/unrealircd/pull/85 |
|
|
Done in UnrealIRCd 5. Thanks everyone! commit 788cdd2956f82345716c293a0ae1c83200421a31 (HEAD -> unreal50, origin/unreal50) Author: Bram Matthys <[email protected]> Date: Mon Nov 11 09:44:31 2019 +0100 On Windows, if you choose to run UnrealIRCd 5 as a service, it now runs under the NetworkService account, rather than LocalSystem (SYSTEM). Something along those lines was suggested long ago in: https://bugs.unrealircd.org/view.php?id=2330 with a patch from BuHHunyx. The more recent pull request from AlexandraBryant suggested to use the NetworkService account and also fixed the (major) problem with the original patch that caused UnrealIRCd to hang for 15 seconds when UnrealIRCd was started in GUI mode (non-services mode). The installer was changed to automatically set the appropriate permissions on the UnrealIRCd 5 folder if "Install as a service" was selected. This so NetworkService can write, otherwise it would be unable to copy modules to tmp\, write to log files, etc. etc. We print a clear warning if you manually install the service at a later stage, suggesting to run the installer instead or to manually change the permissions. Better error checking and reporting was added when running 'unrealsvc' and when we are unable to connect to the service manager. This is much more common nowadays as you need elevated admin permissions. https://github.com/unrealircd/unrealircd/commit/788cdd2956f82345716c293a0ae1c83200421a31 |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2005-02-11 10:45 | skyflash | New Issue | |
| 2005-02-11 11:05 | syzop | Summary | Not possible to install IRCD as a service run by a non-privileged user => [Win32] Not possible to install IRCD as a service run by a non-privileged user |
| 2005-02-11 11:05 | syzop | Steps to Reproduce Updated | |
| 2005-02-11 11:05 | syzop | Additional Information Updated | |
| 2005-02-11 12:38 |
|
Note Added: 0009079 | |
| 2005-02-11 16:33 | skyflash | Note Added: 0009083 | |
| 2006-09-19 06:46 | Proactive Services | Note Added: 0012406 | |
| 2006-09-27 13:38 | Bock | Note Added: 0012451 | |
| 2006-09-27 14:05 | Proactive Services | Note Added: 0012452 | |
| 2006-09-28 00:06 | skyflash | Note Added: 0012453 | |
| 2006-11-17 10:09 | Bock | Note Added: 0012684 | |
| 2006-11-17 10:09 | Bock | File Added: gui.c.diff | |
| 2006-11-17 10:10 | Bock | Note Edited: 0012684 | |
| 2006-11-24 13:50 | Bock | Note Added: 0012711 | |
| 2006-11-28 11:28 | Bock | File Added: gui.c.diff2 | |
| 2006-11-28 11:31 | Bock | Note Added: 0012750 | |
| 2006-11-28 17:04 | syzop | Note Added: 0012754 | |
| 2006-11-28 17:05 | syzop | Note Edited: 0012754 | |
| 2007-04-19 04:25 |
|
Relationship added | has duplicate 0003242 |
| 2007-04-27 05:20 |
|
Note Added: 0013814 | |
| 2007-04-27 05:20 |
|
Status | new => acknowledged |
| 2007-04-27 07:38 | skyflash | Note Added: 0013879 | |
| 2007-04-27 07:56 | Proactive Services | Note Added: 0013880 | |
| 2007-04-27 08:29 |
|
Status | acknowledged => confirmed |
| 2007-07-18 07:28 |
|
Relationship added | child of 0003454 |
| 2008-07-23 13:33 | zer | Note Added: 0015325 | |
| 2008-12-23 15:51 | syzop | QA | => Not touched yet by developer |
| 2008-12-23 15:51 | syzop | U4: Need for upstream patch | => No need for upstream InspIRCd patch |
| 2008-12-23 15:51 | syzop | Status | confirmed => resolved |
| 2008-12-23 15:51 | syzop | Fixed in Version | => 3.2.8 |
| 2008-12-23 15:51 | syzop | Resolution | open => fixed |
| 2008-12-23 15:51 | syzop | Assigned To | => syzop |
| 2008-12-23 15:51 | syzop | Note Added: 0015509 | |
| 2008-12-24 12:21 | syzop | Note Added: 0015524 | |
| 2008-12-24 12:21 | syzop | Assigned To | syzop => |
| 2008-12-24 12:21 | syzop | Status | resolved => confirmed |
| 2008-12-24 12:21 | syzop | U4: Upstream notification of bug | => Not decided |
| 2008-12-24 12:21 | syzop | U4: Contributor working on this | => None |
| 2008-12-24 12:21 | syzop | Resolution | fixed => open |
| 2008-12-24 12:23 | syzop | Relationship deleted | child of 0003454 |
| 2019-04-22 20:51 | syzop | Target Version | => 4.2.4 |
| 2019-04-22 20:51 | syzop | Note Added: 0020591 | |
| 2019-04-22 20:52 | syzop | Note Edited: 0020591 | |
| 2019-10-06 19:54 | syzop | Target Version | 4.2.4 => |
| 2019-10-06 19:54 | syzop | Relationship added | child of 0005279 |
| 2019-10-06 19:54 | syzop | Note Added: 0020944 | |
| 2019-11-07 17:18 | syzop | Note Added: 0021068 | |
| 2019-11-07 17:18 | syzop | Assigned To | => syzop |
| 2019-11-07 17:18 | syzop | Status | confirmed => has patch |
| 2019-11-11 10:04 | syzop | Status | has patch => resolved |
| 2019-11-11 10:04 | syzop | Resolution | open => fixed |
| 2019-11-11 10:04 | syzop | Fixed in Version | 3.2.8 => 5.0.0-rc1 |
| 2019-11-11 10:04 | syzop | Note Added: 0021070 |
