From 6a642c3f470df19577762f1c8e1f3b8f2a57e55c Mon Sep 17 00:00:00 2001 From: Noah van der Aa Date: Sat, 9 Oct 2021 11:29:05 +0200 Subject: [PATCH] Re-readd root/admin user detection (#6703) * Re-readd root/admin user detection * I am dum * Only run id command if needed * Use ProcessBuilder * Link to issue * Rebase Co-authored-by: Madeline Miller --- .../Add-root-admin-user-detection.patch | 79 +++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 patches/server/Add-root-admin-user-detection.patch diff --git a/patches/server/Add-root-admin-user-detection.patch b/patches/server/Add-root-admin-user-detection.patch new file mode 100644 index 0000000000..c07fa8ea3f --- /dev/null +++ b/patches/server/Add-root-admin-user-detection.patch @@ -0,0 +1,79 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: egg82 +Date: Sat, 11 Sep 2021 22:55:14 +0200 +Subject: [PATCH] Add root/admin user detection + +This patch detects whether or not the server is currently executing as a privileged user and spits out a warning. +The warning serves as a sort-of PSA for newer server admins who don't understand the risks of running as root. +We've seen plenty of bad/malicious plugins hit markets, and there's been a few close-calls with exploits in the past. +Hopefully this helps mitigate some potential damage to servers, even if it is just a warning. + +Co-authored-by: Noah van der Aa + +diff --git a/src/main/java/io/papermc/paper/util/ServerEnvironment.java b/src/main/java/io/papermc/paper/util/ServerEnvironment.java +new file mode 100644 +index 0000000000000000000000000000000000000000..0000000000000000000000000000000000000000 +--- /dev/null ++++ b/src/main/java/io/papermc/paper/util/ServerEnvironment.java +@@ -0,0 +0,0 @@ ++package io.papermc.paper.util; ++ ++import com.sun.security.auth.module.NTSystem; ++import com.sun.security.auth.module.UnixSystem; ++import org.apache.commons.lang.SystemUtils; ++ ++import java.io.IOException; ++import java.io.InputStream; ++import java.util.Set; ++ ++public class ServerEnvironment { ++ private static final boolean RUNNING_AS_ROOT_OR_ADMIN; ++ private static final String WINDOWS_HIGH_INTEGRITY_LEVEL = "S-1-16-12288"; ++ ++ static { ++ if (SystemUtils.IS_OS_WINDOWS) { ++ RUNNING_AS_ROOT_OR_ADMIN = Set.of(new NTSystem().getGroupIDs()).contains(WINDOWS_HIGH_INTEGRITY_LEVEL); ++ } else { ++ boolean isRunningAsRoot = false; ++ if (new UnixSystem().getUid() == 0) { ++ // Due to an OpenJDK bug (https://bugs.openjdk.java.net/browse/JDK-8274721), UnixSystem#getUid incorrectly ++ // returns 0 when the user doesn't have a username. Because of this, we'll have to double-check if the user ID is ++ // actually 0 by running the id -u command. ++ try { ++ Process process = new ProcessBuilder("id", "-u").start(); ++ process.waitFor(); ++ InputStream inputStream = process.getInputStream(); ++ isRunningAsRoot = new String(inputStream.readAllBytes()).trim().equals("0"); ++ } catch (InterruptedException | IOException ignored) { ++ isRunningAsRoot = false; ++ } ++ } ++ RUNNING_AS_ROOT_OR_ADMIN = isRunningAsRoot; ++ } ++ } ++ ++ public static boolean userIsRootOrAdmin() { ++ return RUNNING_AS_ROOT_OR_ADMIN; ++ } ++} +diff --git a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java +index 0000000000000000000000000000000000000000..0000000000000000000000000000000000000000 100644 +--- a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java ++++ b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java +@@ -0,0 +0,0 @@ public class DedicatedServer extends MinecraftServer implements ServerInterface + DedicatedServer.LOGGER.warn("To start the server with more ram, launch it as \"java -Xmx1024M -Xms1024M -jar minecraft_server.jar\""); + } + ++ // Paper start - detect running as root ++ if (io.papermc.paper.util.ServerEnvironment.userIsRootOrAdmin()) { ++ DedicatedServer.LOGGER.warn("****************************"); ++ DedicatedServer.LOGGER.warn("YOU ARE RUNNING THIS SERVER AS AN ADMINISTRATIVE OR ROOT USER. THIS IS NOT ADVISED."); ++ DedicatedServer.LOGGER.warn("YOU ARE OPENING YOURSELF UP TO POTENTIAL RISKS WHEN DOING THIS."); ++ DedicatedServer.LOGGER.warn("FOR MORE INFORMATION, SEE https://madelinemiller.dev/blog/root-minecraft-server/"); ++ DedicatedServer.LOGGER.warn("****************************"); ++ } ++ // Paper end ++ + DedicatedServer.LOGGER.info("Loading properties"); + DedicatedServerProperties dedicatedserverproperties = this.settings.getProperties(); +