1358d1e914
Upstream has released updates that appear to apply and compile correctly. This update has not been tested by PaperMC and as with ANY update, please do your own testing Bukkit Changes: 881e06e5 PR-725: Add Item Unlimited Lifetime APIs CraftBukkit Changes: 74c08312 SPIGOT-6962: Call EntityChangeBlockEvent when when FallingBlockEntity starts to fall 64db5126 SPIGOT-6959: Make /loot command ignore empty items for spawn 2d760831 Increase outdated build delay 9ed7e4fb SPIGOT-6138, SPIGOT-6415: Don't call CreatureSpawnEvent after cross-dimensional travel fc4ad813 SPIGOT-6895: Trees grown with applyBoneMeal() don't fire the StructureGrowthEvent 59733a2e SPIGOT-6961: Actually return a copy of the ItemMeta Spigot Changes: ffceeae3 SPIGOT-6956: Drop unload queue patch as attempt at fixing stop issue e19ddabd PR-1011: Add Item Unlimited Lifetime APIs 34d40b0e SPIGOT-2942: give command fires PlayerDropItemEvent, cancelling it causes Item Duplication
80 lines
4.1 KiB
Diff
80 lines
4.1 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: egg82 <eggys82@gmail.com>
|
|
Date: Sat, 11 Sep 2021 22:55:14 +0200
|
|
Subject: [PATCH] Add root/admin user detection
|
|
|
|
This patch detects whether or not the server is currently executing as a privileged user and spits out a warning.
|
|
The warning serves as a sort-of PSA for newer server admins who don't understand the risks of running as root.
|
|
We've seen plenty of bad/malicious plugins hit markets, and there's been a few close-calls with exploits in the past.
|
|
Hopefully this helps mitigate some potential damage to servers, even if it is just a warning.
|
|
|
|
Co-authored-by: Noah van der Aa <ndvdaa@gmail.com>
|
|
|
|
diff --git a/src/main/java/io/papermc/paper/util/ServerEnvironment.java b/src/main/java/io/papermc/paper/util/ServerEnvironment.java
|
|
new file mode 100644
|
|
index 0000000000000000000000000000000000000000..6bd0afddbcc461149dfe9a5c7a86fff6ea13a5f1
|
|
--- /dev/null
|
|
+++ b/src/main/java/io/papermc/paper/util/ServerEnvironment.java
|
|
@@ -0,0 +1,40 @@
|
|
+package io.papermc.paper.util;
|
|
+
|
|
+import com.sun.security.auth.module.NTSystem;
|
|
+import com.sun.security.auth.module.UnixSystem;
|
|
+import org.apache.commons.lang.SystemUtils;
|
|
+
|
|
+import java.io.IOException;
|
|
+import java.io.InputStream;
|
|
+import java.util.Set;
|
|
+
|
|
+public class ServerEnvironment {
|
|
+ private static final boolean RUNNING_AS_ROOT_OR_ADMIN;
|
|
+ private static final String WINDOWS_HIGH_INTEGRITY_LEVEL = "S-1-16-12288";
|
|
+
|
|
+ static {
|
|
+ if (SystemUtils.IS_OS_WINDOWS) {
|
|
+ RUNNING_AS_ROOT_OR_ADMIN = Set.of(new NTSystem().getGroupIDs()).contains(WINDOWS_HIGH_INTEGRITY_LEVEL);
|
|
+ } else {
|
|
+ boolean isRunningAsRoot = false;
|
|
+ if (new UnixSystem().getUid() == 0) {
|
|
+ // Due to an OpenJDK bug (https://bugs.openjdk.java.net/browse/JDK-8274721), UnixSystem#getUid incorrectly
|
|
+ // returns 0 when the user doesn't have a username. Because of this, we'll have to double-check if the user ID is
|
|
+ // actually 0 by running the id -u command.
|
|
+ try {
|
|
+ Process process = new ProcessBuilder("id", "-u").start();
|
|
+ process.waitFor();
|
|
+ InputStream inputStream = process.getInputStream();
|
|
+ isRunningAsRoot = new String(inputStream.readAllBytes()).trim().equals("0");
|
|
+ } catch (InterruptedException | IOException ignored) {
|
|
+ isRunningAsRoot = false;
|
|
+ }
|
|
+ }
|
|
+ RUNNING_AS_ROOT_OR_ADMIN = isRunningAsRoot;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ public static boolean userIsRootOrAdmin() {
|
|
+ return RUNNING_AS_ROOT_OR_ADMIN;
|
|
+ }
|
|
+}
|
|
diff --git a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
|
|
index 939745227346e6d23e50f942eb48ab97c4ab6190..e28e09aae1d95d9bed50a137e999e6d457e62478 100644
|
|
--- a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
|
|
+++ b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
|
|
@@ -191,6 +191,16 @@ public class DedicatedServer extends MinecraftServer implements ServerInterface
|
|
DedicatedServer.LOGGER.warn("To start the server with more ram, launch it as \"java -Xmx1024M -Xms1024M -jar minecraft_server.jar\"");
|
|
}
|
|
|
|
+ // Paper start - detect running as root
|
|
+ if (io.papermc.paper.util.ServerEnvironment.userIsRootOrAdmin()) {
|
|
+ DedicatedServer.LOGGER.warn("****************************");
|
|
+ DedicatedServer.LOGGER.warn("YOU ARE RUNNING THIS SERVER AS AN ADMINISTRATIVE OR ROOT USER. THIS IS NOT ADVISED.");
|
|
+ DedicatedServer.LOGGER.warn("YOU ARE OPENING YOURSELF UP TO POTENTIAL RISKS WHEN DOING THIS.");
|
|
+ DedicatedServer.LOGGER.warn("FOR MORE INFORMATION, SEE https://madelinemiller.dev/blog/root-minecraft-server/");
|
|
+ DedicatedServer.LOGGER.warn("****************************");
|
|
+ }
|
|
+ // Paper end
|
|
+
|
|
DedicatedServer.LOGGER.info("Loading properties");
|
|
DedicatedServerProperties dedicatedserverproperties = this.settings.getProperties();
|
|
|