2021-10-09 11:29:05 +02:00
|
|
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
|
From: egg82 <eggys82@gmail.com>
|
|
|
|
Date: Sat, 11 Sep 2021 22:55:14 +0200
|
|
|
|
Subject: [PATCH] Add root/admin user detection
|
|
|
|
|
|
|
|
This patch detects whether or not the server is currently executing as a privileged user and spits out a warning.
|
|
|
|
The warning serves as a sort-of PSA for newer server admins who don't understand the risks of running as root.
|
|
|
|
We've seen plenty of bad/malicious plugins hit markets, and there's been a few close-calls with exploits in the past.
|
|
|
|
Hopefully this helps mitigate some potential damage to servers, even if it is just a warning.
|
|
|
|
|
|
|
|
Co-authored-by: Noah van der Aa <ndvdaa@gmail.com>
|
|
|
|
|
|
|
|
diff --git a/src/main/java/io/papermc/paper/util/ServerEnvironment.java b/src/main/java/io/papermc/paper/util/ServerEnvironment.java
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000000000000000000000000000000000000..6bd0afddbcc461149dfe9a5c7a86fff6ea13a5f1
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/main/java/io/papermc/paper/util/ServerEnvironment.java
|
|
|
|
@@ -0,0 +1,40 @@
|
|
|
|
+package io.papermc.paper.util;
|
|
|
|
+
|
|
|
|
+import com.sun.security.auth.module.NTSystem;
|
|
|
|
+import com.sun.security.auth.module.UnixSystem;
|
|
|
|
+import org.apache.commons.lang.SystemUtils;
|
|
|
|
+
|
|
|
|
+import java.io.IOException;
|
|
|
|
+import java.io.InputStream;
|
|
|
|
+import java.util.Set;
|
|
|
|
+
|
|
|
|
+public class ServerEnvironment {
|
|
|
|
+ private static final boolean RUNNING_AS_ROOT_OR_ADMIN;
|
|
|
|
+ private static final String WINDOWS_HIGH_INTEGRITY_LEVEL = "S-1-16-12288";
|
|
|
|
+
|
|
|
|
+ static {
|
|
|
|
+ if (SystemUtils.IS_OS_WINDOWS) {
|
|
|
|
+ RUNNING_AS_ROOT_OR_ADMIN = Set.of(new NTSystem().getGroupIDs()).contains(WINDOWS_HIGH_INTEGRITY_LEVEL);
|
|
|
|
+ } else {
|
|
|
|
+ boolean isRunningAsRoot = false;
|
|
|
|
+ if (new UnixSystem().getUid() == 0) {
|
|
|
|
+ // Due to an OpenJDK bug (https://bugs.openjdk.java.net/browse/JDK-8274721), UnixSystem#getUid incorrectly
|
|
|
|
+ // returns 0 when the user doesn't have a username. Because of this, we'll have to double-check if the user ID is
|
|
|
|
+ // actually 0 by running the id -u command.
|
|
|
|
+ try {
|
|
|
|
+ Process process = new ProcessBuilder("id", "-u").start();
|
|
|
|
+ process.waitFor();
|
|
|
|
+ InputStream inputStream = process.getInputStream();
|
|
|
|
+ isRunningAsRoot = new String(inputStream.readAllBytes()).trim().equals("0");
|
|
|
|
+ } catch (InterruptedException | IOException ignored) {
|
|
|
|
+ isRunningAsRoot = false;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+ RUNNING_AS_ROOT_OR_ADMIN = isRunningAsRoot;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ public static boolean userIsRootOrAdmin() {
|
|
|
|
+ return RUNNING_AS_ROOT_OR_ADMIN;
|
|
|
|
+ }
|
|
|
|
+}
|
|
|
|
diff --git a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
|
2022-03-01 06:43:03 +01:00
|
|
|
index 12020ec70e47499962ad19d03c89da8e2891536e..5c06cbc8680a06cc30a79c7115bb01c89d7a9cfa 100644
|
2021-10-09 11:29:05 +02:00
|
|
|
--- a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
|
|
|
|
+++ b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
|
2022-03-01 06:43:03 +01:00
|
|
|
@@ -191,6 +191,16 @@ public class DedicatedServer extends MinecraftServer implements ServerInterface
|
2021-10-09 11:29:05 +02:00
|
|
|
DedicatedServer.LOGGER.warn("To start the server with more ram, launch it as \"java -Xmx1024M -Xms1024M -jar minecraft_server.jar\"");
|
|
|
|
}
|
|
|
|
|
|
|
|
+ // Paper start - detect running as root
|
|
|
|
+ if (io.papermc.paper.util.ServerEnvironment.userIsRootOrAdmin()) {
|
|
|
|
+ DedicatedServer.LOGGER.warn("****************************");
|
|
|
|
+ DedicatedServer.LOGGER.warn("YOU ARE RUNNING THIS SERVER AS AN ADMINISTRATIVE OR ROOT USER. THIS IS NOT ADVISED.");
|
|
|
|
+ DedicatedServer.LOGGER.warn("YOU ARE OPENING YOURSELF UP TO POTENTIAL RISKS WHEN DOING THIS.");
|
|
|
|
+ DedicatedServer.LOGGER.warn("FOR MORE INFORMATION, SEE https://madelinemiller.dev/blog/root-minecraft-server/");
|
|
|
|
+ DedicatedServer.LOGGER.warn("****************************");
|
|
|
|
+ }
|
|
|
|
+ // Paper end
|
|
|
|
+
|
|
|
|
DedicatedServer.LOGGER.info("Loading properties");
|
|
|
|
DedicatedServerProperties dedicatedserverproperties = this.settings.getProperties();
|
|
|
|
|