Minecraft user is not able to execute minecraftctl start {instance name} without root password prompt

[frg]

Hi,

What permissions does the minecraft user need?

I've got the user set up using useradd --system --no-create-home --home /opt/minecraft -g minecraft minecraft yet when executing minecraftctl start {instance name} either with the user minecraft or root I get the following prompt.

==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to start 'minecraft@{instance name}.service'.
Authenticating as: root
Password:

To get around this online sources mention the use of a sudoers entry, which I've tried the below as a catch-all for the moment yet it didn't work.

%minecraft ALL=(ALL) NOPASSWD:ALL

The only way I managed to get the script to run without the prompt is by using sudo and removing the below from minecraftctl

if [[ "$(id -un)" != "$MINECRAFT_USER" ]]; then
  sudo -n -u "$MINECRAFT_USER" "$SAFE_SELF" "$@"
  exit
fi

I'm sure I'm missing something,
Thanks in advance.

Linux version 5.4.0-77-generic (buildd@lgw01-amd64-028) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04))

[seyfahni]

I guess the documentation isn't explicit enough.

I assume you have a service user and group minecraft. Then you have your admin user frg.

What you need is a group that is allowed to manage the minecraft server, e.g. gameadmin. Your admin user frg needs to be part of that group and your service user minecraft must not be part of it (just security, it will not break anything).

You then can add a line that will allow all members of that gameadmin group to execute the script without entering their password:

%gameadmin = NOPASSWD: /usr/local/bin/minecraftctl

---

Side note:

This line will give the minecraft server group essentially root permissions!

%minecraft ALL=(ALL) NOPASSWD:ALL

If anyone manages to get remote code execution via your minecraft server (e.g. an infected plugin or a security issue in some http server that a plugin (like dynmap or luckperms) starts) then this attacker can do ANYTHING on your server!

I'd suggest you remove / replace that line.

---

Side note 2:

You might want to put this line in a extra file inside the /etc/sudoers.d/ directory, that add another layer of safety: If that line is invalid, it will ignore that part and you can still become root and if sudo updates its config you can just let it overwrite the old file without loosing anything.

---

Side note 3:

Of course you might want to just have an admin with full access without having to enter a password every time, then this line should do (change group as required):

%admin ALL=(ALL) NOPASSWD:ALL

Keep in mind that this is a small security risk, but you can mitigate it by hardening your ssh config to only allow secure cypher, the latest protocol and public key authentication.

[frg]

Thanks @seyfahni I'll try it out later this week.

What I've done for the moment is add

%minecraft= NOPASSWD: /usr/local/bin/minecraftctl

Edited the script to execute this command https://github.com/seyfahni/minecraft-server-scripts/blob/master/systemd/screen/minecraft/multiple/minecraftctl#L63 prefixed with sudo.

sudo systemctl "$command" "$SYSTEMD_UNIT_NAME@$instance.service"

This seems to bypass the need to enter the password however I'm not sure if executing commands using sudo within a script is frowned upon.

[seyfahni]

%minecraft= NOPASSWD: /usr/local/bin/minecraftctl

This works too and only allows management of the server, but for the minecraft user itself too, you can keep it as is if you're fine with that.

Edited the script to execute this command minecraftctl#L63 prefixed with sudo.

sudo systemctl "$command" "$SYSTEMD_UNIT_NAME@$instance.service"

I would keep the script in its original version for multiple reasons (especially the part that you removed):

if [[ "$(id -un)" != "$MINECRAFT_USER" ]]; then
  sudo -n -u "$MINECRAFT_USER" "$SAFE_SELF" "$@"
  exit
fi

The script is written so that it calls itself as the root user via sudo. The only permission youe have to give an admin is that they can run the script as root (the sudoers line).

But if the script contains sudo systemctl ... then the executing user has to be able to run systemctl as root too.
You'd have to set this then for the sudoers file:

%minecraft= NOPASSWD: /usr/local/bin/minecraftctl /bin/systemctl

But that would allow the user to manage ALL services (ssh, databases), not only the minecraft ones and gives essentially root access (you can do systemctl edit and modify any unit to just give you full root access and then execute that unit).

Your current script probably works for you as you have full access (you can just run sudo -i and open an interactive shell as root), but a more restricted user will just not be able to run the script without it failing.

The only way I managed to get the script to run without the prompt is by using sudo and removing the below from minecraftctl

And you can run my original script with explicit sudo: sudo minecraftctl will work just as fine as minecraftctl when set up properly. Your removal just made it so that you have to use sudo for it to work.