Archiviert
13
0
Dieses Repository wurde am 2024-12-25 archiviert. Du kannst Dateien ansehen und es klonen, aber nicht pushen oder Issues/Pull-Requests öffnen.
Paper-Old/patches/server/0728-Add-root-admin-user-detection.patch
Nassim Jahnke c0936a71bd
Updated Upstream (Bukkit/CraftBukkit/Spigot) (#9440)
Upstream has released updates that appear to apply and compile correctly.
This update has not been tested by PaperMC and as with ANY update, please do your own testing

Bukkit Changes:
01aa02eb PR-858: Add LivingEntity#playHurtAnimation()
9421320f PR-884: Refinements to new ban API for improved compatibility and correctness
37a60b45 SPIGOT-6455, SPIGOT-7030, PR-750: Improve ban API
4eeb174b All smithing inventories are now the new smithing inventory
f2bb168e PR-880: Add methods to get/set FallingBlock CancelDrop
e7a807fa PR-879: Add Player#sendHealthUpdate()
692b8e96 SPIGOT-7370: Remove float value conversion in plugin.yml
2d033390 SPIGOT-7403: Add direct API for waxed signs
16a08373 PR-876: Add missing Raider API and 'no action ticks'

CraftBukkit Changes:
b60a95c8c PR-1189: Add LivingEntity#playHurtAnimation()
95c335c63 PR-1226: Fix VehicleEnterEvent not being called for certain entities
0a0fc3bee PR-1227: Refinements to new ban API for improved compatibility and correctness
0d0b1e5dc Revert bad change to PathfinderGoalSit causing all cats to sit
648196070 SPIGOT-6455, SPIGOT-7030, PR-1054: Improve ban API
31fe848d6 All smithing inventories are now the new smithing inventory
9a919a143 SPIGOT-7416: SmithItemEvent not firing in Smithing Table
9f64f0d22 PR-1221: Add methods to get/set FallingBlock CancelDrop
3be9ac171 PR-1220: Add Player#sendHealthUpdate()
c1279f775 PR-1209: Clean up various patches
c432e4397 Fix Raider#setCelebrating() implementation
504d96665 SPIGOT-7403: Add direct API for waxed signs
c68c1f1b3 PR-1216: Add missing Raider API and 'no action ticks'
85b89c3dd Increase outdated build delay

Spigot Changes:
9ebce8af Rebuild patches
64b565e6 Rebuild patches
2023-07-04 10:22:56 +02:00

80 Zeilen
4.1 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: egg82 <eggys82@gmail.com>
Date: Sat, 11 Sep 2021 22:55:14 +0200
Subject: [PATCH] Add root/admin user detection
This patch detects whether or not the server is currently executing as a privileged user and spits out a warning.
The warning serves as a sort-of PSA for newer server admins who don't understand the risks of running as root.
We've seen plenty of bad/malicious plugins hit markets, and there's been a few close-calls with exploits in the past.
Hopefully this helps mitigate some potential damage to servers, even if it is just a warning.
Co-authored-by: Noah van der Aa <ndvdaa@gmail.com>
diff --git a/src/main/java/io/papermc/paper/util/ServerEnvironment.java b/src/main/java/io/papermc/paper/util/ServerEnvironment.java
new file mode 100644
index 0000000000000000000000000000000000000000..6bd0afddbcc461149dfe9a5c7a86fff6ea13a5f1
--- /dev/null
+++ b/src/main/java/io/papermc/paper/util/ServerEnvironment.java
@@ -0,0 +1,40 @@
+package io.papermc.paper.util;
+
+import com.sun.security.auth.module.NTSystem;
+import com.sun.security.auth.module.UnixSystem;
+import org.apache.commons.lang.SystemUtils;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Set;
+
+public class ServerEnvironment {
+ private static final boolean RUNNING_AS_ROOT_OR_ADMIN;
+ private static final String WINDOWS_HIGH_INTEGRITY_LEVEL = "S-1-16-12288";
+
+ static {
+ if (SystemUtils.IS_OS_WINDOWS) {
+ RUNNING_AS_ROOT_OR_ADMIN = Set.of(new NTSystem().getGroupIDs()).contains(WINDOWS_HIGH_INTEGRITY_LEVEL);
+ } else {
+ boolean isRunningAsRoot = false;
+ if (new UnixSystem().getUid() == 0) {
+ // Due to an OpenJDK bug (https://bugs.openjdk.java.net/browse/JDK-8274721), UnixSystem#getUid incorrectly
+ // returns 0 when the user doesn't have a username. Because of this, we'll have to double-check if the user ID is
+ // actually 0 by running the id -u command.
+ try {
+ Process process = new ProcessBuilder("id", "-u").start();
+ process.waitFor();
+ InputStream inputStream = process.getInputStream();
+ isRunningAsRoot = new String(inputStream.readAllBytes()).trim().equals("0");
+ } catch (InterruptedException | IOException ignored) {
+ isRunningAsRoot = false;
+ }
+ }
+ RUNNING_AS_ROOT_OR_ADMIN = isRunningAsRoot;
+ }
+ }
+
+ public static boolean userIsRootOrAdmin() {
+ return RUNNING_AS_ROOT_OR_ADMIN;
+ }
+}
diff --git a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
index 1fbe7a58707ddd40f80d71e3703ff3fefff672f4..9a45921cbb1e7a39e6ef46cc93c14766ee8229ad 100644
--- a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
+++ b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
@@ -179,6 +179,16 @@ public class DedicatedServer extends MinecraftServer implements ServerInterface
DedicatedServer.LOGGER.warn("To start the server with more ram, launch it as \"java -Xmx1024M -Xms1024M -jar minecraft_server.jar\"");
}
+ // Paper start - detect running as root
+ if (io.papermc.paper.util.ServerEnvironment.userIsRootOrAdmin()) {
+ DedicatedServer.LOGGER.warn("****************************");
+ DedicatedServer.LOGGER.warn("YOU ARE RUNNING THIS SERVER AS AN ADMINISTRATIVE OR ROOT USER. THIS IS NOT ADVISED.");
+ DedicatedServer.LOGGER.warn("YOU ARE OPENING YOURSELF UP TO POTENTIAL RISKS WHEN DOING THIS.");
+ DedicatedServer.LOGGER.warn("FOR MORE INFORMATION, SEE https://madelinemiller.dev/blog/root-minecraft-server/");
+ DedicatedServer.LOGGER.warn("****************************");
+ }
+ // Paper end
+
DedicatedServer.LOGGER.info("Loading properties");
DedicatedServerProperties dedicatedserverproperties = this.settings.getProperties();