Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Readd root/admin user detection (#6593)
* Readd root/admin user detection * Use original test for Windows, use UID for unix and add co-author * Move logging and remove unnecessary reader * try with resources * Use Windows security identifiers + reduce size of Unix check * Remove extra newline at the bottom of the message * Change wording * Address comments * Link to Maddy's article * Use warning log level
- Loading branch information
Showing
1 changed file
with
63 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: egg82 <eggys82@gmail.com> | ||
Date: Sat, 11 Sep 2021 22:55:14 +0200 | ||
Subject: [PATCH] Add root/admin user detection | ||
|
||
This patch detects whether or not the server is currently executing as a privileged user and spits out a warning. | ||
The warning serves as a sort-of PSA for newer server admins who don't understand the risks of running as root. | ||
We've seen plenty of bad/malicious plugins hit markets, and there's been a few close-calls with exploits in the past. | ||
Hopefully this helps mitigate some potential damage to servers, even if it is just a warning. | ||
|
||
Co-authored-by: Noah van der Aa <ndvdaa@gmail.com> | ||
|
||
diff --git a/src/main/java/io/papermc/paper/util/ServerEnvironment.java b/src/main/java/io/papermc/paper/util/ServerEnvironment.java | ||
new file mode 100644 | ||
index 0000000000000000000000000000000000000000..0d8e415acb1e06532d9e1c2add576806b2aafdaa | ||
--- /dev/null | ||
+++ b/src/main/java/io/papermc/paper/util/ServerEnvironment.java | ||
@@ -0,0 +1,24 @@ | ||
+package io.papermc.paper.util; | ||
+ | ||
+import com.sun.security.auth.module.NTSystem; | ||
+import com.sun.security.auth.module.UnixSystem; | ||
+import org.apache.commons.lang.SystemUtils; | ||
+ | ||
+import java.util.Set; | ||
+ | ||
+public class ServerEnvironment { | ||
+ private static final boolean RUNNING_AS_ROOT_OR_ADMIN; | ||
+ private static final String WINDOWS_HIGH_INTEGRITY_LEVEL = "S-1-16-12288"; | ||
+ | ||
+ static { | ||
+ if (SystemUtils.IS_OS_WINDOWS) { | ||
+ RUNNING_AS_ROOT_OR_ADMIN = Set.of(new NTSystem().getGroupIDs()).contains(WINDOWS_HIGH_INTEGRITY_LEVEL); | ||
+ } else { | ||
+ RUNNING_AS_ROOT_OR_ADMIN = new UnixSystem().getUid() == 0L; | ||
+ } | ||
+ } | ||
+ | ||
+ public static boolean userIsRootOrAdmin() { | ||
+ return RUNNING_AS_ROOT_OR_ADMIN; | ||
+ } | ||
+} | ||
diff --git a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java | ||
index 1bf19965d12514dee34545235bfbadc0b74ddc8b..49a85ad513993bfdc0759f26d38923c881af82e6 100644 | ||
--- a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java | ||
+++ b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java | ||
@@ -190,6 +190,16 @@ public class DedicatedServer extends MinecraftServer implements ServerInterface | ||
DedicatedServer.LOGGER.warn("To start the server with more ram, launch it as \"java -Xmx1024M -Xms1024M -jar minecraft_server.jar\""); | ||
} | ||
|
||
+ // Paper start - detect running as root | ||
+ if (io.papermc.paper.util.ServerEnvironment.userIsRootOrAdmin()) { | ||
+ DedicatedServer.LOGGER.warn("****************************"); | ||
+ DedicatedServer.LOGGER.warn("YOU ARE RUNNING THIS SERVER AS AN ADMINISTRATIVE OR ROOT USER. THIS IS NOT ADVISED."); | ||
+ DedicatedServer.LOGGER.warn("YOU ARE OPENING YOURSELF UP TO POTENTIAL RISKS WHEN DOING THIS."); | ||
+ DedicatedServer.LOGGER.warn("FOR MORE INFORMATION, SEE https://madelinemiller.dev/blog/root-minecraft-server/"); | ||
+ DedicatedServer.LOGGER.warn("****************************"); | ||
+ } | ||
+ // Paper end | ||
+ | ||
DedicatedServer.LOGGER.info("Loading properties"); | ||
DedicatedServerProperties dedicatedserverproperties = this.settings.getProperties(); | ||
|