From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: egg82 Date: Sat, 11 Sep 2021 22:55:14 +0200 Subject: [PATCH] Add root/admin user detection This patch detects whether or not the server is currently executing as a privileged user and spits out a warning. The warning serves as a sort-of PSA for newer server admins who don't understand the risks of running as root. We've seen plenty of bad/malicious plugins hit markets, and there's been a few close-calls with exploits in the past. Hopefully this helps mitigate some potential damage to servers, even if it is just a warning. Co-authored-by: Noah van der Aa diff --git a/src/main/java/io/papermc/paper/util/ServerEnvironment.java b/src/main/java/io/papermc/paper/util/ServerEnvironment.java new file mode 100644 index 0000000000000000000000000000000000000000..6bd0afddbcc461149dfe9a5c7a86fff6ea13a5f1 --- /dev/null +++ b/src/main/java/io/papermc/paper/util/ServerEnvironment.java @@ -0,0 +1,40 @@ +package io.papermc.paper.util; + +import com.sun.security.auth.module.NTSystem; +import com.sun.security.auth.module.UnixSystem; +import org.apache.commons.lang.SystemUtils; + +import java.io.IOException; +import java.io.InputStream; +import java.util.Set; + +public class ServerEnvironment { + private static final boolean RUNNING_AS_ROOT_OR_ADMIN; + private static final String WINDOWS_HIGH_INTEGRITY_LEVEL = "S-1-16-12288"; + + static { + if (SystemUtils.IS_OS_WINDOWS) { + RUNNING_AS_ROOT_OR_ADMIN = Set.of(new NTSystem().getGroupIDs()).contains(WINDOWS_HIGH_INTEGRITY_LEVEL); + } else { + boolean isRunningAsRoot = false; + if (new UnixSystem().getUid() == 0) { + // Due to an OpenJDK bug (https://bugs.openjdk.java.net/browse/JDK-8274721), UnixSystem#getUid incorrectly + // returns 0 when the user doesn't have a username. Because of this, we'll have to double-check if the user ID is + // actually 0 by running the id -u command. + try { + Process process = new ProcessBuilder("id", "-u").start(); + process.waitFor(); + InputStream inputStream = process.getInputStream(); + isRunningAsRoot = new String(inputStream.readAllBytes()).trim().equals("0"); + } catch (InterruptedException | IOException ignored) { + isRunningAsRoot = false; + } + } + RUNNING_AS_ROOT_OR_ADMIN = isRunningAsRoot; + } + } + + public static boolean userIsRootOrAdmin() { + return RUNNING_AS_ROOT_OR_ADMIN; + } +} diff --git a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java index 4bc7b3d7c5214b3272614fe3fce8e4d8d2264867..784788d8d3d1a07efbd406b6c463e046699081e2 100644 --- a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java +++ b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java @@ -192,6 +192,16 @@ public class DedicatedServer extends MinecraftServer implements ServerInterface DedicatedServer.LOGGER.warn("To start the server with more ram, launch it as \"java -Xmx1024M -Xms1024M -jar minecraft_server.jar\""); } + // Paper start - detect running as root + if (io.papermc.paper.util.ServerEnvironment.userIsRootOrAdmin()) { + DedicatedServer.LOGGER.warn("****************************"); + DedicatedServer.LOGGER.warn("YOU ARE RUNNING THIS SERVER AS AN ADMINISTRATIVE OR ROOT USER. THIS IS NOT ADVISED."); + DedicatedServer.LOGGER.warn("YOU ARE OPENING YOURSELF UP TO POTENTIAL RISKS WHEN DOING THIS."); + DedicatedServer.LOGGER.warn("FOR MORE INFORMATION, SEE https://madelinemiller.dev/blog/root-minecraft-server/"); + DedicatedServer.LOGGER.warn("****************************"); + } + // Paper end - detect running as root + DedicatedServer.LOGGER.info("Loading properties"); DedicatedServerProperties dedicatedserverproperties = this.settings.getProperties();