From cd610df101fe36efe946b841f5e1f04446db1661 Mon Sep 17 00:00:00 2001 From: Noah van der Aa Date: Sat, 9 Oct 2021 11:29:05 +0200 Subject: Re-readd root/admin user detection (#6703) * Re-readd root/admin user detection * I am dum * Only run id command if needed * Use ProcessBuilder * Link to issue * Rebase Co-authored-by: Madeline Miller --- .../0824-Add-root-admin-user-detection.patch | 79 ++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 patches/server/0824-Add-root-admin-user-detection.patch diff --git a/patches/server/0824-Add-root-admin-user-detection.patch b/patches/server/0824-Add-root-admin-user-detection.patch new file mode 100644 index 0000000000..053e03ef52 --- /dev/null +++ b/patches/server/0824-Add-root-admin-user-detection.patch @@ -0,0 +1,79 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: egg82 +Date: Sat, 11 Sep 2021 22:55:14 +0200 +Subject: [PATCH] Add root/admin user detection + +This patch detects whether or not the server is currently executing as a privileged user and spits out a warning. +The warning serves as a sort-of PSA for newer server admins who don't understand the risks of running as root. +We've seen plenty of bad/malicious plugins hit markets, and there's been a few close-calls with exploits in the past. +Hopefully this helps mitigate some potential damage to servers, even if it is just a warning. + +Co-authored-by: Noah van der Aa + +diff --git a/src/main/java/io/papermc/paper/util/ServerEnvironment.java b/src/main/java/io/papermc/paper/util/ServerEnvironment.java +new file mode 100644 +index 0000000000000000000000000000000000000000..6bd0afddbcc461149dfe9a5c7a86fff6ea13a5f1 +--- /dev/null ++++ b/src/main/java/io/papermc/paper/util/ServerEnvironment.java +@@ -0,0 +1,40 @@ ++package io.papermc.paper.util; ++ ++import com.sun.security.auth.module.NTSystem; ++import com.sun.security.auth.module.UnixSystem; ++import org.apache.commons.lang.SystemUtils; ++ ++import java.io.IOException; ++import java.io.InputStream; ++import java.util.Set; ++ ++public class ServerEnvironment { ++ private static final boolean RUNNING_AS_ROOT_OR_ADMIN; ++ private static final String WINDOWS_HIGH_INTEGRITY_LEVEL = "S-1-16-12288"; ++ ++ static { ++ if (SystemUtils.IS_OS_WINDOWS) { ++ RUNNING_AS_ROOT_OR_ADMIN = Set.of(new NTSystem().getGroupIDs()).contains(WINDOWS_HIGH_INTEGRITY_LEVEL); ++ } else { ++ boolean isRunningAsRoot = false; ++ if (new UnixSystem().getUid() == 0) { ++ // Due to an OpenJDK bug (https://bugs.openjdk.java.net/browse/JDK-8274721), UnixSystem#getUid incorrectly ++ // returns 0 when the user doesn't have a username. Because of this, we'll have to double-check if the user ID is ++ // actually 0 by running the id -u command. ++ try { ++ Process process = new ProcessBuilder("id", "-u").start(); ++ process.waitFor(); ++ InputStream inputStream = process.getInputStream(); ++ isRunningAsRoot = new String(inputStream.readAllBytes()).trim().equals("0"); ++ } catch (InterruptedException | IOException ignored) { ++ isRunningAsRoot = false; ++ } ++ } ++ RUNNING_AS_ROOT_OR_ADMIN = isRunningAsRoot; ++ } ++ } ++ ++ public static boolean userIsRootOrAdmin() { ++ return RUNNING_AS_ROOT_OR_ADMIN; ++ } ++} +diff --git a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java +index 7ce1ce59eeba8b57cd76b1c9c561733b476e7ebf..b6ee0e709b0f0529b99567bc9b8fb6bfd99bcd8e 100644 +--- a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java ++++ b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java +@@ -190,6 +190,16 @@ public class DedicatedServer extends MinecraftServer implements ServerInterface + DedicatedServer.LOGGER.warn("To start the server with more ram, launch it as \"java -Xmx1024M -Xms1024M -jar minecraft_server.jar\""); + } + ++ // Paper start - detect running as root ++ if (io.papermc.paper.util.ServerEnvironment.userIsRootOrAdmin()) { ++ DedicatedServer.LOGGER.warn("****************************"); ++ DedicatedServer.LOGGER.warn("YOU ARE RUNNING THIS SERVER AS AN ADMINISTRATIVE OR ROOT USER. THIS IS NOT ADVISED."); ++ DedicatedServer.LOGGER.warn("YOU ARE OPENING YOURSELF UP TO POTENTIAL RISKS WHEN DOING THIS."); ++ DedicatedServer.LOGGER.warn("FOR MORE INFORMATION, SEE https://madelinemiller.dev/blog/root-minecraft-server/"); ++ DedicatedServer.LOGGER.warn("****************************"); ++ } ++ // Paper end ++ + DedicatedServer.LOGGER.info("Loading properties"); + DedicatedServerProperties dedicatedserverproperties = this.settings.getProperties(); + -- cgit v1.2.3