papermc/patches/server/0628-Add-root-admin-user-detection.patch
Bjarne Koll 77a5779e24
Updated Upstream (Bukkit/CraftBukkit/Spigot) (#11197)
Upstream has released updates that appear to apply and compile correctly.
This update has not been tested by PaperMC and as with ANY update, please do your own testing

Bukkit Changes:
2ec53f49 PR-1050: Fix empty result check for Complex Recipes
10671012 PR-1044: Add CrafterCraftEvent
4d87ffe0 Use correct method in JavaDoc
ae5e5817 SPIGOT-7850: Add API for Bogged shear state
46b6d445 SPIGOT-7837: Support data pack banner patterns
d5d0cefc Fix JavaDoc error
b3c2b83d PR-1036: Add API for InventoryView derivatives
1fe2c75a SPIGOT-7809: Add ShieldMeta

CraftBukkit Changes:
8ee6fd1b8 SPIGOT-7857: Improve ItemMeta block data deserialization
8f26c30c6 SPIGOT-7857: Fix spurious internal NBT tag when deserializing BlockStateMeta
759061b93 SPIGOT-7855: Fire does not spread or burn blocks
00fc9fb64 SPIGOT-7853: AnvilInventory#getRepairCost() always returns 0
7501e2e04 PR-1450: Add CrafterCraftEvent
8c51673e7 SPIGOT-5731: PortalCreateEvent#getEntity returns null for nether portals ignited by flint and steel
d53d0d0b1 PR-1456: Fix inverted logic in CraftCrafterView#setSlotDisabled
682a678c8 SPIGOT-7850: Add API for Bogged shear state
fccf5243a SPIGOT-7837: Support data pack banner patterns
9c3bd4390 PR-1431: Add API for InventoryView derivatives
0cc6acbc4 SPIGOT-7849: Fix FoodComponent serialize with "using-converts-to" using null
2c5474952 Don't rely on tags for CraftItemMetas
20d107e46 SPIGOT-7846: Fix ItemMeta for hanging signs
76f59e315 Remove redundant clone in Dropper InventoryMoveItemEvent
e61a53d25 SPIGOT-7817: Call InventoryMoveItemEvent for Crafters
894682e2d SPIGOT-7839: Remove redundant Java version checks
2c12b2187 SPIGOT-7809: Add ShieldMeta and fix setting shield base colours

Spigot Changes:
fb8fb722 Rebuild patches
34bd42b7 SPIGOT-7835: Fix issue with custom hopper settings
2024-08-09 22:05:50 +02:00

62 lines
3.2 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: egg82 <eggys82@gmail.com>
Date: Sat, 11 Sep 2021 22:55:14 +0200
Subject: [PATCH] Add root/admin user detection
This patch detects whether or not the server is currently executing as a privileged user and spits out a warning.
The warning serves as a sort-of PSA for newer server admins who don't understand the risks of running as root.
We've seen plenty of bad/malicious plugins hit markets, and there's been a few close-calls with exploits in the past.
Hopefully this helps mitigate some potential damage to servers, even if it is just a warning.
Co-authored-by: Noah van der Aa <ndvdaa@gmail.com>
diff --git a/src/main/java/io/papermc/paper/util/ServerEnvironment.java b/src/main/java/io/papermc/paper/util/ServerEnvironment.java
new file mode 100644
index 0000000000000000000000000000000000000000..68098dfe716e93aafcca4d8d5b5a81d8648b3654
--- /dev/null
+++ b/src/main/java/io/papermc/paper/util/ServerEnvironment.java
@@ -0,0 +1,23 @@
+package io.papermc.paper.util;
+
+import com.sun.security.auth.module.NTSystem;
+import com.sun.security.auth.module.UnixSystem;
+import java.util.Set;
+import org.apache.commons.lang.SystemUtils;
+
+public class ServerEnvironment {
+ private static final boolean RUNNING_AS_ROOT_OR_ADMIN;
+ private static final String WINDOWS_HIGH_INTEGRITY_LEVEL = "S-1-16-12288";
+
+ static {
+ if (SystemUtils.IS_OS_WINDOWS) {
+ RUNNING_AS_ROOT_OR_ADMIN = Set.of(new NTSystem().getGroupIDs()).contains(WINDOWS_HIGH_INTEGRITY_LEVEL);
+ } else {
+ RUNNING_AS_ROOT_OR_ADMIN = new UnixSystem().getUid() == 0;
+ }
+ }
+
+ public static boolean userIsRootOrAdmin() {
+ return RUNNING_AS_ROOT_OR_ADMIN;
+ }
+}
diff --git a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
index adbd61c41cc30afa89c6ee3544c562b351304a01..585d3e51b4af87327fc2bc64a49f09732a8c61ab 100644
--- a/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
+++ b/src/main/java/net/minecraft/server/dedicated/DedicatedServer.java
@@ -196,6 +196,16 @@ public class DedicatedServer extends MinecraftServer implements ServerInterface
DedicatedServer.LOGGER.warn("To start the server with more ram, launch it as \"java -Xmx1024M -Xms1024M -jar minecraft_server.jar\"");
}
+ // Paper start - detect running as root
+ if (io.papermc.paper.util.ServerEnvironment.userIsRootOrAdmin()) {
+ DedicatedServer.LOGGER.warn("****************************");
+ DedicatedServer.LOGGER.warn("YOU ARE RUNNING THIS SERVER AS AN ADMINISTRATIVE OR ROOT USER. THIS IS NOT ADVISED.");
+ DedicatedServer.LOGGER.warn("YOU ARE OPENING YOURSELF UP TO POTENTIAL RISKS WHEN DOING THIS.");
+ DedicatedServer.LOGGER.warn("FOR MORE INFORMATION, SEE https://madelinemiller.dev/blog/root-minecraft-server/");
+ DedicatedServer.LOGGER.warn("****************************");
+ }
+ // Paper end - detect running as root
+
DedicatedServer.LOGGER.info("Loading properties");
DedicatedServerProperties dedicatedserverproperties = this.settings.getProperties();