When running a public Minecraft server, it's vital to understand the main security risks. Giving a server too much access to your machine can allow hackers or other malicious actors to do substantially more damage. Knowing how to prevent this is essential in running a public Minecraft server, or realistically any public internet service. Recently, Paper has started providing a message on startup to warn servers against this. If you see the following message, follow this guide to understand the risks and prevent them.

YOU ARE RUNNING THIS SERVER AS AN ADMINISTRATIVE OR ROOT USER. THIS IS NOT ADVISED.
YOU ARE OPENING YOURSELF UP TO POTENTIAL RISKS WHEN DOING THIS.
MALWARE AND MALICIOUS PLUGINS WILL HAVE COMPLETE ACCESS AND CONTROL OF YOUR MACHINE.

Why this is bad

In terms of security, it's a best practice only to provide a system with the permissions it needs to perform its function. For a Minecraft server, this generally means only accessing the files in the server folder, having access to the internet on the Minecraft server ports, and sometimes access MySQL. This means that if a hacker gets access to your server, all they can touch is your server.

If a server is running with root or poorly setup permissions, an attacker can access everything else on the machine. If you're running a server network, one compromised server means all servers are compromised. When malicious software has root access, it can also be complicated to undo any damage without resetting the machine completely.

It's not always possible to tell when a machine has been compromised either. While sometimes hackers will erase all files and prevent the device from booting, other times they'll use it as part of a botnet or install spyware.

Why it's a realistic threat

You might be thinking, "This won't happen to me". While you could technically be correct, it's not worth taking the risk. There have been numerous plugins on Spigot containing malicious code and authors of more reputable plugins having their accounts hijacked. Unless you only use code you have written personally, there's always a risk of something malicious.

Accidents happen

Having elevated permissions also makes it easier to make catastrophic accidents. If your user account can edit files all over the machine, it's easier to delete more than what you intended to accidentally. This problem is especially likely for people who are less experienced with the Linux command line.

It's also possible for a plugin or its configuration to mess up and cause harm. If a plugin or the server accidentally overwrote a critical system file, the machine could fail to boot and potentially lose data.

How to prevent it

The easiest way to prevent this problem is to create a new user and only give it access to that folder. For Linux users, check out this guide on how to do it. You can then create the server in the user's home folder and run the server while logged into that user.

If you're running a server network, you should have a separate user per server. Not doing so can lead to the issue mentioned above of one server compromising all servers.

Minecraft Server Hosts

If you're using a Minecraft server host, preventing this is up to your host. Contact your server host if you're getting this message, or realistically move to a more reputable host. If they have security flaws this large, they may have other problems too. Check out this article on the issues bad server hosts often have.

This article is part of a series on how to run a Minecraft server. Click here to check out more!

Maddy Miller

This article was written by Maddy Miller, a software engineer at Clipchamp. In her spare time she works on writing articles, as well as developing the Minecraft mods WorldEdit, WorldGuard, and CraftBook.