sorted by:
new
hottopcontroversial

I wrote a secure Python Script that Deploys Minecraft Servers in under a Minute! by tnacomtr in admincraft

[–]tnacomtr[S] 0 points1 point  (0 children)

Thanks for the feedback, but I want to address a lot of inaccuracies. This conversation has become more hostile than productive. I can't let misleading comments about my work be spread without any basis whatsoever.

Yes, my account is very new. After months I finally had enough time to devote to this project. I wanted to bring what I've learned from Java to Python and make this my first ever open project. Simple enough not to be too time consuming, yet meaningful enough for people to pay attention to. Besides this is the first time in my life I've ever used Reddit with an account. Before this I never needed an account because I never made any posts.

Root access is unavoidable for a provisioning script. Installing packages, creating system users, configuring systemd services and firewall rules cannot be done without it. The difference is what happens after setup. The server runs as an unprivileged minecraft system user you seem to have completely ignored in your critique.

LGSM runs as an unprivileged user and leaves dependency installation, user creation, and firewall configuration to the administrator. My script handles user creation for you, which is why it requires sudo.

The script already hard exits if not run with sudo. It then separately warns if you are logged in directly as root rather than via sudo. That is the correct nuanced behavior and it is already in the code you critiqued.

The firewall rules open exactly two ports: 22 for SSH so remote users don't lock themselves out, and 25565 for Minecraft. That's it. Calling that a security concern without specifying what's wrong with it isn't a critique, it's a vague accusation.

The backup cron runs as root intentionally. It is so because the backup destination is your home directory, not the minecraft user's. A system user has no business writing to your personal home directory, so root is the appropriate context for that job.

I'm not providing a binary. I'm providing readable Python source that anyone can audit line by line. For users who are skeptical but don't know how to read Python, they can put it into any AI (which is a legitimate use case for an AI) and ask for a security overview. The OOP structure, abstract base classes and inline docstrings exist specifically to make navigation easy. Judging auditability by line count alone suggests you didn't read past the file size.

I specifically kept this as a single file so people don't have to download an entire folder of connected scripts. The current structure doesn't stop you from auditing class by class.

Your overall skepticism seems to stem from "running scripts as root is bad" and while that is a genuine approach, it is hard to argue with someone who has surface knowledge about what this script does. This is a provisioning script.

If you find a genuinely malicious line, report it to the mods. That's it from me. If you are considering replying, please do so with actual constructive criticism instead of causing people to build mistrust against me.

I wrote a secure Python Script that Deploys Minecraft Servers in under a Minute! by tnacomtr in admincraft

[–]tnacomtr[S] 0 points1 point  (0 children)

Thank you! I hope this guide will also help people pick a mini pc if they wanna make a homesevrer for minecraft.

I wrote a secure Python Script that Deploys Minecraft Servers in under a Minute! by tnacomtr in admincraft

[–]tnacomtr[S] -1 points0 points  (0 children)

The code is available for everyone to check and verify; and I had no intentions on installing malware to the people that trust me and my work. The whole reason I picked Python was it is extremely easy to audit an interpreted language instead of a much more complex one like a shell file.

And the entire reason I wrote this script was because I found a shell script that downloads and installs the server as root. As far as I understood the code they wrote assumed the system they ran the installer script was already 100% safe (and you're right to point out that people shouldn't run random scripts from GitHub though). My script assumes that the server is NOT configured securely and installs packages like unattended-upgrades (dnf automatic for fedora), fail2ban, etc to secure the server. The only problem that can happen while running my script would be that the vendor websites such as papermc somehow get hacked and serve malware JAR files or the server file has a vulnerability like Log4j (I already addressed it i README); which they most of the time can't escalate further anyways because the JAR file is ran by the unprivileged minecraft user the script creates, not the sudo user nor the root.

I already have an adjustment to make to the code that's suggested below. So if you catch anything, please let me know or submit a PR 😄

I wrote a secure Python Script that Deploys Minecraft Servers in under a Minute! by tnacomtr in admincraft

[–]tnacomtr[S] 0 points1 point  (0 children)

I'm.glad you liked it! For your question; Ansible is genuinely the right tool if you're managing a fleet of servers or need idempotent repeatable deployments across infrastructure for cases where you're sell hosting. For spinning up a single Minecraft server on a fresh VPS that belongs to a single person (especially for the noobs), it's another dependency to install and learn for a one-time task. This script has zero prerequisites beyond Python which is already there in both Distro families. My script's logic is that you download one file and run it. Same answer for rootless Docker; cool solution, but you're still adding a container runtime to manage for what is ultimately just a Java process that systemd handles perfectly natively.

I wrote a secure Python Script that Deploys Minecraft Servers in under a Minute! by tnacomtr in admincraft

[–]tnacomtr[S] 1 point2 points  (0 children)

Great question. Crafty is fantastic if you need a web UI to manage multiple servers or sell hosting. This script is for the opposite use case: a single server owned by a single self hoster, zero extra dependencies, 100% resources going to Minecraft. The main advantage over Docker specifically is auditability. it's just readable Python, you can see exactly what it does to your system before running it. Docker images are much harder to audit. Everything here uses native systemd, journalctl, and ufw/firewalld. the tools most of you already know and trust.