e035fd7034
Upstream has released updates that appear to apply and compile correctly. This update has not been tested by PaperMC and as with ANY update, please do your own testing Bukkit Changes: cc9aa21a SPIGOT-6399, SPIGOT-7344: Clarify collidable behavior for player entities f23325b6 Add API for per-world simulation distances 26e1774e Add API for per-world view distances 0b541e60 Add PlayerLoginEvent#getRealAddress 5f027d2d PR-949: Add Vector#fromJOML() overloads for read-only vector types CraftBukkit Changes: bcf56171a PR-1321: Clean up some stuff which got missed during previous PRs 7f833a2d1 SPIGOT-7462: Players no longer drop XP after dying near a Sculk Catalyst 752aac669 Implement APIs for per world view and simulation distances 57d7ef433 Preserve empty enchantment tags for glow effect 465ec3fb4 Remove connected check on setScoreboard f90ce621e Use one PermissibleBase for all command blocks 5876cca44 SPIGOT-7550: Fix creation of Arrow instances f03fc3aa3 SPIGOT-7549: ServerTickManager#setTickRate incorrect Precondition 9d7f49b01 SPIGOT-7548: Fix wrong spawn location for experience orb and dropped item Spigot Changes: ed9ba9a4 Drop no longer required patch ignoring -o option 86b5dd6a SPIGOT-7546: Fix hardcoded check for outdated client message aa7cde7a Remove obsolete APIs for per world view and simulation distances 6dff577e Remove obsolete patch preserving empty `ench` tags a3bf95b8 Remove obsolete PlayerLoginEvent#getRealAddress 1b02f5d6 Remove obsolete connected check on setScoreboard patch acf717eb Remove obsolete command block PermissibleBase patch 053fa2a9 Remove redundant patch dealing with null tile entities
80 Zeilen
4.1 KiB
Diff
80 Zeilen
4.1 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: egg82 <eggys82@gmail.com>
|
|
Date: Sat, 11 Sep 2021 22:55:14 +0200
|
|
Subject: [PATCH] Add root/admin user detection
|
|
|
|
This patch detects whether or not the server is currently executing as a privileged user and spits out a warning.
|
|
The warning serves as a sort-of PSA for newer server admins who don't understand the risks of running as root.
|
|
We've seen plenty of bad/malicious plugins hit markets, and there's been a few close-calls with exploits in the past.
|
|
Hopefully this helps mitigate some potential damage to servers, even if it is just a warning.
|
|
|
|
Co-authored-by: Noah van der Aa <ndvdaa@gmail.com>
|
|
|
|
diff --git a/src/main/java/io/papermc/paper/util/ServerEnvironment.java b/src/main/java/io/papermc/paper/util/ServerEnvironment.java
|
|
new file mode 100644
|
|
index 0000000000000000000000000000000000000000..6bd0afddbcc461149dfe9a5c7a86fff6ea13a5f1
|
|
--- /dev/null
|
|
+++ b/src/main/java/io/papermc/paper/util/ServerEnvironment.java
|
|
@@ -0,0 +1,40 @@
|
|
+package io.papermc.paper.util;
|
|
+
|
|
+import com.sun.security.auth.module.NTSystem;
|
|
+import com.sun.security.auth.module.UnixSystem;
|
|
+import org.apache.commons.lang.SystemUtils;
|
|
+
|
|
+import java.io.IOException;
|
|
+import java.io.InputStream;
|
|
+import java.util.Set;
|
|
+
|
|
+public class ServerEnvironment {
|
|
+ private static final boolean RUNNING_AS_ROOT_OR_ADMIN;
|
|
+ private static final String WINDOWS_HIGH_INTEGRITY_LEVEL = "S-1-16-12288";
|
|
+
|
|
+ static {
|
|
+ if (SystemUtils.IS_OS_WINDOWS) {
|
|
+ RUNNING_AS_ROOT_OR_ADMIN = Set.of(new NTSystem().getGroupIDs()).contains(WINDOWS_HIGH_INTEGRITY_LEVEL);
|
|
+ } else {
|
|
+ boolean isRunningAsRoot = false;
|
|
+ if (new UnixSystem().getUid() == 0) {
|
|
+ // Due to an OpenJDK bug (https://bugs.openjdk.java.net/browse/JDK-8274721), UnixSystem#getUid incorrectly
|
|
+ // returns 0 when the user doesn't have a username. Because of this, we'll have to double-check if the user ID is
|
|
+ // actually 0 by running the id -u command.
|
|
+ try {
|
|
+ Process process = new ProcessBuilder("id", "-u").start();
|
|
+ process.waitFor();
|
|
+ InputStream inputStream = process.getInputStream();
|
|
+ isRunningAsRoot = new String(inputStream.readAllBytes()).trim().equals("0");
|
|
+ } catch (InterruptedException | IOException ignored) {
|
|
+ isRunningAsRoot = false;
|
|
+ }
|
|
+ }
|
|
+ RUNNING_AS_ROOT_OR_ADMIN = isRunningAsRoot;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ public static boolean userIsRootOrAdmin() {
|
|
+ return RUNNING_AS_ROOT_OR_ADMIN;
|
|
+ }
|
|
+}
|
|
diff --git a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
|
|
index 0008e63e96841c48fa039001f282ffa70c88494f..a305557e97d8719f5f82e70794d15242364ce136 100644
|
|
--- a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
|
|
+++ b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
|
|
@@ -179,6 +179,16 @@ public class DedicatedServer extends MinecraftServer implements ServerInterface
|
|
DedicatedServer.LOGGER.warn("To start the server with more ram, launch it as \"java -Xmx1024M -Xms1024M -jar minecraft_server.jar\"");
|
|
}
|
|
|
|
+ // Paper start - detect running as root
|
|
+ if (io.papermc.paper.util.ServerEnvironment.userIsRootOrAdmin()) {
|
|
+ DedicatedServer.LOGGER.warn("****************************");
|
|
+ DedicatedServer.LOGGER.warn("YOU ARE RUNNING THIS SERVER AS AN ADMINISTRATIVE OR ROOT USER. THIS IS NOT ADVISED.");
|
|
+ DedicatedServer.LOGGER.warn("YOU ARE OPENING YOURSELF UP TO POTENTIAL RISKS WHEN DOING THIS.");
|
|
+ DedicatedServer.LOGGER.warn("FOR MORE INFORMATION, SEE https://madelinemiller.dev/blog/root-minecraft-server/");
|
|
+ DedicatedServer.LOGGER.warn("****************************");
|
|
+ }
|
|
+ // Paper end
|
|
+
|
|
DedicatedServer.LOGGER.info("Loading properties");
|
|
DedicatedServerProperties dedicatedserverproperties = this.settings.getProperties();
|
|
|