mirror of
https://github.com/PaperMC/Paper.git
synced 2024-09-15 08:28:01 +02:00
de04cbced5
Upstream has released updates that appear to apply and compile correctly. This update has not been tested by PaperMC and as with ANY update, please do your own testing Bukkit Changes: f29cb801 Separate checkstyle-suppressions file is not required 86f99bbe SPIGOT-7540, PR-946: Add ServerTickManager API d4119585 SPIGOT-6903, PR-945: Add BlockData#getMapColor b7a2ed41 SPIGOT-7530, PR-947: Add Player#removeResourcePack 9dd56255 SPIGOT-7527, PR-944: Add WindCharge#explode() 994a6163 Attempt upgrade of resolver libraries CraftBukkit Changes: b3b43a6ad Add Checkstyle check for unused imports 13fb3358e SPIGOT-7544: Scoreboard#getEntries() doesn't get entries but class names 3dda99c06 SPIGOT-7540, PR-1312: Add ServerTickManager API 2ab4508c0 SPIGOT-6903, PR-1311: Add BlockData#getMapColor 1dbdbbed4 PR-1238: Remove unnecessary sign ticking 659728d2a MC-264285, SPIGOT-7439, PR-1237: Fix unbreakable flint and steel is completely consumed while igniting creeper e37e29ce0 Increase outdated build delay c00438b39 SPIGOT-7530, PR-1313: Add Player#removeResourcePack 492dd80ce SPIGOT-7527, PR-1310: Add WindCharge#explode() e11fbb9d7 Upgrade MySQL driver 9f3a0bd2a Attempt upgrade of resolver libraries 60d16d7ca PR-1306: Centralize Bukkit and Minecraft entity conversion Spigot Changes: 06d602e7 Rebuild patches
80 lines
4.1 KiB
Diff
80 lines
4.1 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: egg82 <eggys82@gmail.com>
|
|
Date: Sat, 11 Sep 2021 22:55:14 +0200
|
|
Subject: [PATCH] Add root/admin user detection
|
|
|
|
This patch detects whether or not the server is currently executing as a privileged user and spits out a warning.
|
|
The warning serves as a sort-of PSA for newer server admins who don't understand the risks of running as root.
|
|
We've seen plenty of bad/malicious plugins hit markets, and there's been a few close-calls with exploits in the past.
|
|
Hopefully this helps mitigate some potential damage to servers, even if it is just a warning.
|
|
|
|
Co-authored-by: Noah van der Aa <ndvdaa@gmail.com>
|
|
|
|
diff --git a/src/main/java/io/papermc/paper/util/ServerEnvironment.java b/src/main/java/io/papermc/paper/util/ServerEnvironment.java
|
|
new file mode 100644
|
|
index 0000000000000000000000000000000000000000..6bd0afddbcc461149dfe9a5c7a86fff6ea13a5f1
|
|
--- /dev/null
|
|
+++ b/src/main/java/io/papermc/paper/util/ServerEnvironment.java
|
|
@@ -0,0 +1,40 @@
|
|
+package io.papermc.paper.util;
|
|
+
|
|
+import com.sun.security.auth.module.NTSystem;
|
|
+import com.sun.security.auth.module.UnixSystem;
|
|
+import org.apache.commons.lang.SystemUtils;
|
|
+
|
|
+import java.io.IOException;
|
|
+import java.io.InputStream;
|
|
+import java.util.Set;
|
|
+
|
|
+public class ServerEnvironment {
|
|
+ private static final boolean RUNNING_AS_ROOT_OR_ADMIN;
|
|
+ private static final String WINDOWS_HIGH_INTEGRITY_LEVEL = "S-1-16-12288";
|
|
+
|
|
+ static {
|
|
+ if (SystemUtils.IS_OS_WINDOWS) {
|
|
+ RUNNING_AS_ROOT_OR_ADMIN = Set.of(new NTSystem().getGroupIDs()).contains(WINDOWS_HIGH_INTEGRITY_LEVEL);
|
|
+ } else {
|
|
+ boolean isRunningAsRoot = false;
|
|
+ if (new UnixSystem().getUid() == 0) {
|
|
+ // Due to an OpenJDK bug (https://bugs.openjdk.java.net/browse/JDK-8274721), UnixSystem#getUid incorrectly
|
|
+ // returns 0 when the user doesn't have a username. Because of this, we'll have to double-check if the user ID is
|
|
+ // actually 0 by running the id -u command.
|
|
+ try {
|
|
+ Process process = new ProcessBuilder("id", "-u").start();
|
|
+ process.waitFor();
|
|
+ InputStream inputStream = process.getInputStream();
|
|
+ isRunningAsRoot = new String(inputStream.readAllBytes()).trim().equals("0");
|
|
+ } catch (InterruptedException | IOException ignored) {
|
|
+ isRunningAsRoot = false;
|
|
+ }
|
|
+ }
|
|
+ RUNNING_AS_ROOT_OR_ADMIN = isRunningAsRoot;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ public static boolean userIsRootOrAdmin() {
|
|
+ return RUNNING_AS_ROOT_OR_ADMIN;
|
|
+ }
|
|
+}
|
|
diff --git a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
|
|
index 0008e63e96841c48fa039001f282ffa70c88494f..a305557e97d8719f5f82e70794d15242364ce136 100644
|
|
--- a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
|
|
+++ b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
|
|
@@ -179,6 +179,16 @@ public class DedicatedServer extends MinecraftServer implements ServerInterface
|
|
DedicatedServer.LOGGER.warn("To start the server with more ram, launch it as \"java -Xmx1024M -Xms1024M -jar minecraft_server.jar\"");
|
|
}
|
|
|
|
+ // Paper start - detect running as root
|
|
+ if (io.papermc.paper.util.ServerEnvironment.userIsRootOrAdmin()) {
|
|
+ DedicatedServer.LOGGER.warn("****************************");
|
|
+ DedicatedServer.LOGGER.warn("YOU ARE RUNNING THIS SERVER AS AN ADMINISTRATIVE OR ROOT USER. THIS IS NOT ADVISED.");
|
|
+ DedicatedServer.LOGGER.warn("YOU ARE OPENING YOURSELF UP TO POTENTIAL RISKS WHEN DOING THIS.");
|
|
+ DedicatedServer.LOGGER.warn("FOR MORE INFORMATION, SEE https://madelinemiller.dev/blog/root-minecraft-server/");
|
|
+ DedicatedServer.LOGGER.warn("****************************");
|
|
+ }
|
|
+ // Paper end
|
|
+
|
|
DedicatedServer.LOGGER.info("Loading properties");
|
|
DedicatedServerProperties dedicatedserverproperties = this.settings.getProperties();
|
|
|