papermc/patches/unapplied/server/Add-root-admin-user-detection.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: egg82 <eggys82@gmail.com>
Date: Sat, 11 Sep 2021 22:55:14 +0200
Subject: [PATCH] Add root/admin user detection

This patch detects whether or not the server is currently executing as a privileged user and spits out a warning.
The warning serves as a sort-of PSA for newer server admins who don't understand the risks of running as root.
We've seen plenty of bad/malicious plugins hit markets, and there's been a few close-calls with exploits in the past.
Hopefully this helps mitigate some potential damage to servers, even if it is just a warning.

Co-authored-by: Noah van der Aa <ndvdaa@gmail.com>

diff --git a/src/main/java/io/papermc/paper/util/ServerEnvironment.java b/src/main/java/io/papermc/paper/util/ServerEnvironment.java
new file mode 100644
index 0000000000000000000000000000000000000000..0000000000000000000000000000000000000000
--- /dev/null
+++ b/src/main/java/io/papermc/paper/util/ServerEnvironment.java
@@ -0,0 +0,0 @@
+package io.papermc.paper.util;
+
+import com.sun.security.auth.module.NTSystem;
+import com.sun.security.auth.module.UnixSystem;
+import org.apache.commons.lang.SystemUtils;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Set;
+
+public class ServerEnvironment {
+    private static final boolean RUNNING_AS_ROOT_OR_ADMIN;
+    private static final String WINDOWS_HIGH_INTEGRITY_LEVEL = "S-1-16-12288";
+
+    static {
+        if (SystemUtils.IS_OS_WINDOWS) {
+            RUNNING_AS_ROOT_OR_ADMIN = Set.of(new NTSystem().getGroupIDs()).contains(WINDOWS_HIGH_INTEGRITY_LEVEL);
+        } else {
+            boolean isRunningAsRoot = false;
+            if (new UnixSystem().getUid() == 0) {
+                // Due to an OpenJDK bug (https://bugs.openjdk.java.net/browse/JDK-8274721), UnixSystem#getUid incorrectly
+                // returns 0 when the user doesn't have a username. Because of this, we'll have to double-check if the user ID is
+                // actually 0 by running the id -u command.
+                try {
+                    Process process = new ProcessBuilder("id", "-u").start();
+                    process.waitFor();
+                    InputStream inputStream = process.getInputStream();
+                    isRunningAsRoot = new String(inputStream.readAllBytes()).trim().equals("0");
+                } catch (InterruptedException | IOException ignored) {
+                    isRunningAsRoot = false;
+                }
+            }
+            RUNNING_AS_ROOT_OR_ADMIN = isRunningAsRoot;
+        }
+    }
+
+    public static boolean userIsRootOrAdmin() {
+        return RUNNING_AS_ROOT_OR_ADMIN;
+    }
+}
diff --git a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
index 0000000000000000000000000000000000000000..0000000000000000000000000000000000000000 100644
--- a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
+++ b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
@@ -0,0 +0,0 @@ public class DedicatedServer extends MinecraftServer implements ServerInterface
             DedicatedServer.LOGGER.warn("To start the server with more ram, launch it as \"java -Xmx1024M -Xms1024M -jar minecraft_server.jar\"");
         }
 
+        // Paper start - detect running as root
+        if (io.papermc.paper.util.ServerEnvironment.userIsRootOrAdmin()) {
+            DedicatedServer.LOGGER.warn("****************************");
+            DedicatedServer.LOGGER.warn("YOU ARE RUNNING THIS SERVER AS AN ADMINISTRATIVE OR ROOT USER. THIS IS NOT ADVISED.");
+            DedicatedServer.LOGGER.warn("YOU ARE OPENING YOURSELF UP TO POTENTIAL RISKS WHEN DOING THIS.");
+            DedicatedServer.LOGGER.warn("FOR MORE INFORMATION, SEE https://madelinemiller.dev/blog/root-minecraft-server/");
+            DedicatedServer.LOGGER.warn("****************************");
+        }
+        // Paper end
+
         DedicatedServer.LOGGER.info("Loading properties");
         DedicatedServerProperties dedicatedserverproperties = this.settings.getProperties();
Re-readd root/admin user detection (#6703) * Re-readd root/admin user detection * I am dum * Only run id command if needed * Use ProcessBuilder * Link to issue * Rebase Co-authored-by: Madeline Miller <mnmiller1@me.com> 2021-10-09 11:29:05 +02:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
			`From: egg82 <eggys82@gmail.com>`
			`Date: Sat, 11 Sep 2021 22:55:14 +0200`
			`Subject: [PATCH] Add root/admin user detection`

			`This patch detects whether or not the server is currently executing as a privileged user and spits out a warning.`
			`The warning serves as a sort-of PSA for newer server admins who don't understand the risks of running as root.`
			`We've seen plenty of bad/malicious plugins hit markets, and there's been a few close-calls with exploits in the past.`
			`Hopefully this helps mitigate some potential damage to servers, even if it is just a warning.`

			`Co-authored-by: Noah van der Aa <ndvdaa@gmail.com>`

			`diff --git a/src/main/java/io/papermc/paper/util/ServerEnvironment.java b/src/main/java/io/papermc/paper/util/ServerEnvironment.java`
			`new file mode 100644`
			`index 0000000000000000000000000000000000000000..0000000000000000000000000000000000000000`
			`--- /dev/null`
			`+++ b/src/main/java/io/papermc/paper/util/ServerEnvironment.java`
			`@@ -0,0 +0,0 @@`
			`+package io.papermc.paper.util;`
			`+`
			`+import com.sun.security.auth.module.NTSystem;`
			`+import com.sun.security.auth.module.UnixSystem;`
			`+import org.apache.commons.lang.SystemUtils;`
			`+`
			`+import java.io.IOException;`
			`+import java.io.InputStream;`
			`+import java.util.Set;`
			`+`
			`+public class ServerEnvironment {`
			`+ private static final boolean RUNNING_AS_ROOT_OR_ADMIN;`
			`+ private static final String WINDOWS_HIGH_INTEGRITY_LEVEL = "S-1-16-12288";`
			`+`
			`+ static {`
			`+ if (SystemUtils.IS_OS_WINDOWS) {`
			`+ RUNNING_AS_ROOT_OR_ADMIN = Set.of(new NTSystem().getGroupIDs()).contains(WINDOWS_HIGH_INTEGRITY_LEVEL);`
			`+ } else {`
			`+ boolean isRunningAsRoot = false;`
			`+ if (new UnixSystem().getUid() == 0) {`
			`+ // Due to an OpenJDK bug (https://bugs.openjdk.java.net/browse/JDK-8274721), UnixSystem#getUid incorrectly`
			`+ // returns 0 when the user doesn't have a username. Because of this, we'll have to double-check if the user ID is`
			`+ // actually 0 by running the id -u command.`
			`+ try {`
			`+ Process process = new ProcessBuilder("id", "-u").start();`
			`+ process.waitFor();`
			`+ InputStream inputStream = process.getInputStream();`
			`+ isRunningAsRoot = new String(inputStream.readAllBytes()).trim().equals("0");`
			`+ } catch (InterruptedException \| IOException ignored) {`
			`+ isRunningAsRoot = false;`
			`+ }`
			`+ }`
			`+ RUNNING_AS_ROOT_OR_ADMIN = isRunningAsRoot;`
			`+ }`
			`+ }`
			`+`
			`+ public static boolean userIsRootOrAdmin() {`
			`+ return RUNNING_AS_ROOT_OR_ADMIN;`
			`+ }`
			`+}`
			`diff --git a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java`
			`index 0000000000000000000000000000000000000000..0000000000000000000000000000000000000000 100644`
			`--- a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java`
			`+++ b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java`
			`@@ -0,0 +0,0 @@ public class DedicatedServer extends MinecraftServer implements ServerInterface`
			`DedicatedServer.LOGGER.warn("To start the server with more ram, launch it as \"java -Xmx1024M -Xms1024M -jar minecraft_server.jar\"");`
			`}`

			`+ // Paper start - detect running as root`
			`+ if (io.papermc.paper.util.ServerEnvironment.userIsRootOrAdmin()) {`
			`+ DedicatedServer.LOGGER.warn("****************************");`
			`+ DedicatedServer.LOGGER.warn("YOU ARE RUNNING THIS SERVER AS AN ADMINISTRATIVE OR ROOT USER. THIS IS NOT ADVISED.");`
			`+ DedicatedServer.LOGGER.warn("YOU ARE OPENING YOURSELF UP TO POTENTIAL RISKS WHEN DOING THIS.");`
			`+ DedicatedServer.LOGGER.warn("FOR MORE INFORMATION, SEE https://madelinemiller.dev/blog/root-minecraft-server/");`
			`+ DedicatedServer.LOGGER.warn("****************************");`
			`+ }`
			`+ // Paper end`
			`+`
			`DedicatedServer.LOGGER.info("Loading properties");`
			`DedicatedServerProperties dedicatedserverproperties = this.settings.getProperties();`