aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorNoah van der Aa <[email protected]>2021-10-09 11:29:05 +0200
committerGitHub <[email protected]>2021-10-09 19:29:05 +1000
commitcd610df101fe36efe946b841f5e1f04446db1661 (patch)
tree8d5a425a71dd04749281097a103677eb92b10f60
parenta61827df9109522f4e84cbe312f6185ba9d7a254 (diff)
downloadPaper-cd610df101fe36efe946b841f5e1f04446db1661.tar.gz
Paper-cd610df101fe36efe946b841f5e1f04446db1661.zip
Re-readd root/admin user detection (#6703)
* Re-readd root/admin user detection * I am dum * Only run id command if needed * Use ProcessBuilder * Link to issue * Rebase Co-authored-by: Madeline Miller <[email protected]>
-rw-r--r--patches/server/0824-Add-root-admin-user-detection.patch79
1 files changed, 79 insertions, 0 deletions
diff --git a/patches/server/0824-Add-root-admin-user-detection.patch b/patches/server/0824-Add-root-admin-user-detection.patch
new file mode 100644
index 0000000000..053e03ef52
--- /dev/null
+++ b/patches/server/0824-Add-root-admin-user-detection.patch
@@ -0,0 +1,79 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: egg82 <[email protected]>
+Date: Sat, 11 Sep 2021 22:55:14 +0200
+Subject: [PATCH] Add root/admin user detection
+
+This patch detects whether or not the server is currently executing as a privileged user and spits out a warning.
+The warning serves as a sort-of PSA for newer server admins who don't understand the risks of running as root.
+We've seen plenty of bad/malicious plugins hit markets, and there's been a few close-calls with exploits in the past.
+Hopefully this helps mitigate some potential damage to servers, even if it is just a warning.
+
+Co-authored-by: Noah van der Aa <[email protected]>
+
+diff --git a/src/main/java/io/papermc/paper/util/ServerEnvironment.java b/src/main/java/io/papermc/paper/util/ServerEnvironment.java
+new file mode 100644
+index 0000000000000000000000000000000000000000..6bd0afddbcc461149dfe9a5c7a86fff6ea13a5f1
+--- /dev/null
++++ b/src/main/java/io/papermc/paper/util/ServerEnvironment.java
+@@ -0,0 +1,40 @@
++package io.papermc.paper.util;
++
++import com.sun.security.auth.module.NTSystem;
++import com.sun.security.auth.module.UnixSystem;
++import org.apache.commons.lang.SystemUtils;
++
++import java.io.IOException;
++import java.io.InputStream;
++import java.util.Set;
++
++public class ServerEnvironment {
++ private static final boolean RUNNING_AS_ROOT_OR_ADMIN;
++ private static final String WINDOWS_HIGH_INTEGRITY_LEVEL = "S-1-16-12288";
++
++ static {
++ if (SystemUtils.IS_OS_WINDOWS) {
++ RUNNING_AS_ROOT_OR_ADMIN = Set.of(new NTSystem().getGroupIDs()).contains(WINDOWS_HIGH_INTEGRITY_LEVEL);
++ } else {
++ boolean isRunningAsRoot = false;
++ if (new UnixSystem().getUid() == 0) {
++ // Due to an OpenJDK bug (https://bugs.openjdk.java.net/browse/JDK-8274721), UnixSystem#getUid incorrectly
++ // returns 0 when the user doesn't have a username. Because of this, we'll have to double-check if the user ID is
++ // actually 0 by running the id -u command.
++ try {
++ Process process = new ProcessBuilder("id", "-u").start();
++ process.waitFor();
++ InputStream inputStream = process.getInputStream();
++ isRunningAsRoot = new String(inputStream.readAllBytes()).trim().equals("0");
++ } catch (InterruptedException | IOException ignored) {
++ isRunningAsRoot = false;
++ }
++ }
++ RUNNING_AS_ROOT_OR_ADMIN = isRunningAsRoot;
++ }
++ }
++
++ public static boolean userIsRootOrAdmin() {
++ return RUNNING_AS_ROOT_OR_ADMIN;
++ }
++}
+diff --git a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
+index 7ce1ce59eeba8b57cd76b1c9c561733b476e7ebf..b6ee0e709b0f0529b99567bc9b8fb6bfd99bcd8e 100644
+--- a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
++++ b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
+@@ -190,6 +190,16 @@ public class DedicatedServer extends MinecraftServer implements ServerInterface
+ DedicatedServer.LOGGER.warn("To start the server with more ram, launch it as \"java -Xmx1024M -Xms1024M -jar minecraft_server.jar\"");
+ }
+
++ // Paper start - detect running as root
++ if (io.papermc.paper.util.ServerEnvironment.userIsRootOrAdmin()) {
++ DedicatedServer.LOGGER.warn("****************************");
++ DedicatedServer.LOGGER.warn("YOU ARE RUNNING THIS SERVER AS AN ADMINISTRATIVE OR ROOT USER. THIS IS NOT ADVISED.");
++ DedicatedServer.LOGGER.warn("YOU ARE OPENING YOURSELF UP TO POTENTIAL RISKS WHEN DOING THIS.");
++ DedicatedServer.LOGGER.warn("FOR MORE INFORMATION, SEE https://madelinemiller.dev/blog/root-minecraft-server/");
++ DedicatedServer.LOGGER.warn("****************************");
++ }
++ // Paper end
++
+ DedicatedServer.LOGGER.info("Loading properties");
+ DedicatedServerProperties dedicatedserverproperties = this.settings.getProperties();
+