mirror of
https://github.com/PaperMC/Paper.git
synced 2025-01-19 14:51:27 +01:00
Add root/admin user detection
This patch detects whether or not the server is currently executing as a privileged user and spits out a warning. The warning serves as a sort-of PSA for newer server admins who don't understand the risks of running as root. We've seen plenty of bad/malicious plugins hit markets, and there's been a few close-calls with exploits in the past. Hopefully this helps mitigate some potential damage to servers, even if it is just a warning. Co-authored-by: Noah van der Aa <ndvdaa@gmail.com>
This commit is contained in:
parent
987d596834
commit
61353ac496
@ -35,7 +35,7 @@
|
|||||||
@Nullable
|
@Nullable
|
||||||
private RconThread rconThread;
|
private RconThread rconThread;
|
||||||
public DedicatedServerSettings settings;
|
public DedicatedServerSettings settings;
|
||||||
@@ -81,36 +92,102 @@
|
@@ -81,41 +92,117 @@
|
||||||
private DebugSampleSubscriptionTracker debugSampleSubscriptionTracker;
|
private DebugSampleSubscriptionTracker debugSampleSubscriptionTracker;
|
||||||
public ServerLinks serverLinks;
|
public ServerLinks serverLinks;
|
||||||
|
|
||||||
@ -148,7 +148,22 @@
|
|||||||
DedicatedServer.LOGGER.info("Starting minecraft server version {}", SharedConstants.getCurrentVersion().getName());
|
DedicatedServer.LOGGER.info("Starting minecraft server version {}", SharedConstants.getCurrentVersion().getName());
|
||||||
if (Runtime.getRuntime().maxMemory() / 1024L / 1024L < 512L) {
|
if (Runtime.getRuntime().maxMemory() / 1024L / 1024L < 512L) {
|
||||||
DedicatedServer.LOGGER.warn("To start the server with more ram, launch it as \"java -Xmx1024M -Xms1024M -jar minecraft_server.jar\"");
|
DedicatedServer.LOGGER.warn("To start the server with more ram, launch it as \"java -Xmx1024M -Xms1024M -jar minecraft_server.jar\"");
|
||||||
@@ -126,14 +203,50 @@
|
}
|
||||||
|
|
||||||
|
+ // Paper start - detect running as root
|
||||||
|
+ if (io.papermc.paper.util.ServerEnvironment.userIsRootOrAdmin()) {
|
||||||
|
+ DedicatedServer.LOGGER.warn("****************************");
|
||||||
|
+ DedicatedServer.LOGGER.warn("YOU ARE RUNNING THIS SERVER AS AN ADMINISTRATIVE OR ROOT USER. THIS IS NOT ADVISED.");
|
||||||
|
+ DedicatedServer.LOGGER.warn("YOU ARE OPENING YOURSELF UP TO POTENTIAL RISKS WHEN DOING THIS.");
|
||||||
|
+ DedicatedServer.LOGGER.warn("FOR MORE INFORMATION, SEE https://madelinemiller.dev/blog/root-minecraft-server/");
|
||||||
|
+ DedicatedServer.LOGGER.warn("****************************");
|
||||||
|
+ }
|
||||||
|
+ // Paper end - detect running as root
|
||||||
|
+
|
||||||
|
DedicatedServer.LOGGER.info("Loading properties");
|
||||||
|
DedicatedServerProperties dedicatedserverproperties = this.settings.getProperties();
|
||||||
|
|
||||||
|
@@ -126,14 +213,50 @@
|
||||||
this.setPreventProxyConnections(dedicatedserverproperties.preventProxyConnections);
|
this.setPreventProxyConnections(dedicatedserverproperties.preventProxyConnections);
|
||||||
this.setLocalIp(dedicatedserverproperties.serverIp);
|
this.setLocalIp(dedicatedserverproperties.serverIp);
|
||||||
}
|
}
|
||||||
@ -200,7 +215,7 @@
|
|||||||
InetAddress inetaddress = null;
|
InetAddress inetaddress = null;
|
||||||
|
|
||||||
if (!this.getLocalIp().isEmpty()) {
|
if (!this.getLocalIp().isEmpty()) {
|
||||||
@@ -143,12 +256,15 @@
|
@@ -143,12 +266,15 @@
|
||||||
if (this.getPort() < 0) {
|
if (this.getPort() < 0) {
|
||||||
this.setPort(dedicatedserverproperties.serverPort);
|
this.setPort(dedicatedserverproperties.serverPort);
|
||||||
}
|
}
|
||||||
@ -217,7 +232,7 @@
|
|||||||
} catch (IOException ioexception) {
|
} catch (IOException ioexception) {
|
||||||
DedicatedServer.LOGGER.warn("**** FAILED TO BIND TO PORT!");
|
DedicatedServer.LOGGER.warn("**** FAILED TO BIND TO PORT!");
|
||||||
DedicatedServer.LOGGER.warn("The exception was: {}", ioexception.toString());
|
DedicatedServer.LOGGER.warn("The exception was: {}", ioexception.toString());
|
||||||
@@ -156,21 +272,31 @@
|
@@ -156,21 +282,31 @@
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -254,7 +269,7 @@
|
|||||||
this.debugSampleSubscriptionTracker = new DebugSampleSubscriptionTracker(this.getPlayerList());
|
this.debugSampleSubscriptionTracker = new DebugSampleSubscriptionTracker(this.getPlayerList());
|
||||||
this.tickTimeLogger = new RemoteSampleLogger(TpsDebugDimensions.values().length, this.debugSampleSubscriptionTracker, RemoteDebugSampleType.TICK_TIME);
|
this.tickTimeLogger = new RemoteSampleLogger(TpsDebugDimensions.values().length, this.debugSampleSubscriptionTracker, RemoteDebugSampleType.TICK_TIME);
|
||||||
long i = Util.getNanos();
|
long i = Util.getNanos();
|
||||||
@@ -178,13 +304,13 @@
|
@@ -178,13 +314,13 @@
|
||||||
SkullBlockEntity.setup(this.services, this);
|
SkullBlockEntity.setup(this.services, this);
|
||||||
GameProfileCache.setUsesAuthentication(this.usesAuthentication());
|
GameProfileCache.setUsesAuthentication(this.usesAuthentication());
|
||||||
DedicatedServer.LOGGER.info("Preparing level \"{}\"", this.getLevelIdName());
|
DedicatedServer.LOGGER.info("Preparing level \"{}\"", this.getLevelIdName());
|
||||||
@ -270,7 +285,7 @@
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (dedicatedserverproperties.enableQuery) {
|
if (dedicatedserverproperties.enableQuery) {
|
||||||
@@ -197,7 +323,7 @@
|
@@ -197,7 +333,7 @@
|
||||||
this.rconThread = RconThread.create(this);
|
this.rconThread = RconThread.create(this);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -279,7 +294,7 @@
|
|||||||
Thread thread1 = new Thread(new ServerWatchdog(this));
|
Thread thread1 = new Thread(new ServerWatchdog(this));
|
||||||
|
|
||||||
thread1.setUncaughtExceptionHandler(new DefaultUncaughtExceptionHandlerWithName(DedicatedServer.LOGGER));
|
thread1.setUncaughtExceptionHandler(new DefaultUncaughtExceptionHandlerWithName(DedicatedServer.LOGGER));
|
||||||
@@ -215,6 +341,12 @@
|
@@ -215,6 +351,12 @@
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -292,7 +307,7 @@
|
|||||||
@Override
|
@Override
|
||||||
public boolean isSpawningMonsters() {
|
public boolean isSpawningMonsters() {
|
||||||
return this.settings.getProperties().spawnMonsters && super.isSpawningMonsters();
|
return this.settings.getProperties().spawnMonsters && super.isSpawningMonsters();
|
||||||
@@ -227,7 +359,7 @@
|
@@ -227,7 +369,7 @@
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void forceDifficulty() {
|
public void forceDifficulty() {
|
||||||
@ -301,7 +316,7 @@
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
@@ -286,13 +418,14 @@
|
@@ -286,13 +428,14 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
if (this.rconThread != null) {
|
if (this.rconThread != null) {
|
||||||
@ -318,7 +333,7 @@
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
@@ -302,19 +435,29 @@
|
@@ -302,19 +445,29 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
@ -354,7 +369,7 @@
|
|||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
@@ -383,7 +526,7 @@
|
@@ -383,7 +536,7 @@
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public boolean isUnderSpawnProtection(ServerLevel world, BlockPos pos, Player player) {
|
public boolean isUnderSpawnProtection(ServerLevel world, BlockPos pos, Player player) {
|
||||||
@ -363,7 +378,7 @@
|
|||||||
return false;
|
return false;
|
||||||
} else if (this.getPlayerList().getOps().isEmpty()) {
|
} else if (this.getPlayerList().getOps().isEmpty()) {
|
||||||
return false;
|
return false;
|
||||||
@@ -453,7 +596,11 @@
|
@@ -453,7 +606,11 @@
|
||||||
public boolean enforceSecureProfile() {
|
public boolean enforceSecureProfile() {
|
||||||
DedicatedServerProperties dedicatedserverproperties = this.getProperties();
|
DedicatedServerProperties dedicatedserverproperties = this.getProperties();
|
||||||
|
|
||||||
@ -376,7 +391,7 @@
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
@@ -541,16 +688,52 @@
|
@@ -541,16 +698,52 @@
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String getPluginNames() {
|
public String getPluginNames() {
|
||||||
@ -433,7 +448,7 @@
|
|||||||
}
|
}
|
||||||
|
|
||||||
public void storeUsingWhiteList(boolean useWhitelist) {
|
public void storeUsingWhiteList(boolean useWhitelist) {
|
||||||
@@ -660,4 +843,15 @@
|
@@ -660,4 +853,15 @@
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -0,0 +1,23 @@
|
|||||||
|
package io.papermc.paper.util;
|
||||||
|
|
||||||
|
import com.sun.security.auth.module.NTSystem;
|
||||||
|
import com.sun.security.auth.module.UnixSystem;
|
||||||
|
import java.util.Set;
|
||||||
|
import org.apache.commons.lang.SystemUtils;
|
||||||
|
|
||||||
|
public class ServerEnvironment {
|
||||||
|
private static final boolean RUNNING_AS_ROOT_OR_ADMIN;
|
||||||
|
private static final String WINDOWS_HIGH_INTEGRITY_LEVEL = "S-1-16-12288";
|
||||||
|
|
||||||
|
static {
|
||||||
|
if (SystemUtils.IS_OS_WINDOWS) {
|
||||||
|
RUNNING_AS_ROOT_OR_ADMIN = Set.of(new NTSystem().getGroupIDs()).contains(WINDOWS_HIGH_INTEGRITY_LEVEL);
|
||||||
|
} else {
|
||||||
|
RUNNING_AS_ROOT_OR_ADMIN = new UnixSystem().getUid() == 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public static boolean userIsRootOrAdmin() {
|
||||||
|
return RUNNING_AS_ROOT_OR_ADMIN;
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user