aboutsummaryrefslogtreecommitdiffhomepage
path: root/patches/server/0658-Add-root-admin-user-detection.patch
blob: 74f125cf61c0e6ffeb4aa12fb72e703fe6dfec6e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: egg82 <eggys82@gmail.com>
Date: Sat, 11 Sep 2021 22:55:14 +0200
Subject: [PATCH] Add root/admin user detection

This patch detects whether or not the server is currently executing as a privileged user and spits out a warning.
The warning serves as a sort-of PSA for newer server admins who don't understand the risks of running as root.
We've seen plenty of bad/malicious plugins hit markets, and there's been a few close-calls with exploits in the past.
Hopefully this helps mitigate some potential damage to servers, even if it is just a warning.

Co-authored-by: Noah van der Aa <ndvdaa@gmail.com>

diff --git a/src/main/java/io/papermc/paper/util/ServerEnvironment.java b/src/main/java/io/papermc/paper/util/ServerEnvironment.java
new file mode 100644
index 0000000000000000000000000000000000000000..6bd0afddbcc461149dfe9a5c7a86fff6ea13a5f1
--- /dev/null
+++ b/src/main/java/io/papermc/paper/util/ServerEnvironment.java
@@ -0,0 +1,40 @@
+package io.papermc.paper.util;
+
+import com.sun.security.auth.module.NTSystem;
+import com.sun.security.auth.module.UnixSystem;
+import org.apache.commons.lang.SystemUtils;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Set;
+
+public class ServerEnvironment {
+    private static final boolean RUNNING_AS_ROOT_OR_ADMIN;
+    private static final String WINDOWS_HIGH_INTEGRITY_LEVEL = "S-1-16-12288";
+
+    static {
+        if (SystemUtils.IS_OS_WINDOWS) {
+            RUNNING_AS_ROOT_OR_ADMIN = Set.of(new NTSystem().getGroupIDs()).contains(WINDOWS_HIGH_INTEGRITY_LEVEL);
+        } else {
+            boolean isRunningAsRoot = false;
+            if (new UnixSystem().getUid() == 0) {
+                // Due to an OpenJDK bug (https://bugs.openjdk.java.net/browse/JDK-8274721), UnixSystem#getUid incorrectly
+                // returns 0 when the user doesn't have a username. Because of this, we'll have to double-check if the user ID is
+                // actually 0 by running the id -u command.
+                try {
+                    Process process = new ProcessBuilder("id", "-u").start();
+                    process.waitFor();
+                    InputStream inputStream = process.getInputStream();
+                    isRunningAsRoot = new String(inputStream.readAllBytes()).trim().equals("0");
+                } catch (InterruptedException | IOException ignored) {
+                    isRunningAsRoot = false;
+                }
+            }
+            RUNNING_AS_ROOT_OR_ADMIN = isRunningAsRoot;
+        }
+    }
+
+    public static boolean userIsRootOrAdmin() {
+        return RUNNING_AS_ROOT_OR_ADMIN;
+    }
+}
diff --git a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
index 6b4c9ef02931491dd048646ead494892f06504c5..608d860b940dee870a3df3d52efaed5e9eab17cf 100644
--- a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
+++ b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
@@ -179,6 +179,16 @@ public class DedicatedServer extends MinecraftServer implements ServerInterface
             DedicatedServer.LOGGER.warn("To start the server with more ram, launch it as \"java -Xmx1024M -Xms1024M -jar minecraft_server.jar\"");
         }
 
+        // Paper start - detect running as root
+        if (io.papermc.paper.util.ServerEnvironment.userIsRootOrAdmin()) {
+            DedicatedServer.LOGGER.warn("****************************");
+            DedicatedServer.LOGGER.warn("YOU ARE RUNNING THIS SERVER AS AN ADMINISTRATIVE OR ROOT USER. THIS IS NOT ADVISED.");
+            DedicatedServer.LOGGER.warn("YOU ARE OPENING YOURSELF UP TO POTENTIAL RISKS WHEN DOING THIS.");
+            DedicatedServer.LOGGER.warn("FOR MORE INFORMATION, SEE https://madelinemiller.dev/blog/root-minecraft-server/");
+            DedicatedServer.LOGGER.warn("****************************");
+        }
+        // Paper end - detect running as root
+
         DedicatedServer.LOGGER.info("Loading properties");
         DedicatedServerProperties dedicatedserverproperties = this.settings.getProperties();