secruity: Fix CVE-2021-44228 mitigation (#1190)

As described in https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition,
versions below 1.7 are not affected by the log4j exploit. They should therefore not use any mitigations.

See #1179 discussion after merge.

Reported-and-tested-by: Daniel Porter "Stealthii" <dan.porter@rehabstudio.com>

.github/workflows/build-multiarch.yml

@@ -9,6 +9,7 @@ on:
       - java16*
       - java17*
       - test/*
+      - fix/*
     tags:
       - "[0-9]+.[0-9]+.[0-9]+"
       - "[0-9]+.[0-9]+.[0-9]+-java8-multiarch"
@@ -67,7 +68,7 @@ jobs:
           load: true
           push: false
           cache-from: type=gha
-          cache-to: type=gha,mode=max
+          # no cache-to to avoid cross-cache update from next build step
 
       - name: Run tests
         # It is assumed that image variants are merged from master and tested there

Dockerfile

@@ -1,4 +1,4 @@
-FROM adoptopenjdk:11-jdk
+FROM eclipse-temurin:17-jdk
 
 LABEL org.opencontainers.image.authors="Geoff Bourne <itzgeoff@gmail.com>"
 
@@ -26,7 +26,7 @@ RUN apt-get update \
 RUN addgroup --gid 1000 minecraft \
   && adduser --system --shell /bin/false --uid 1000 --ingroup minecraft --home /data minecraft
 
-COPY files/sudoers* /etc/sudoers.d
+COPY --chmod=644 files/sudoers* /etc/sudoers.d
 
 EXPOSE 25565 25575
 
@@ -60,7 +60,7 @@ RUN easy-add --var os=${TARGETOS} --var arch=${TARGETARCH}${TARGETVARIANT} \
  --var version=0.1.1 --var app=maven-metadata-release --file {{.app}} \
  --from https://github.com/itzg/{{.app}}/releases/download/{{.version}}/{{.app}}_{{.version}}_{{.os}}_{{.arch}}.tar.gz
 
-ARG MC_HELPER_VERSION=1.9.10
+ARG MC_HELPER_VERSION=1.10.0
 ARG MC_HELPER_BASE_URL=https://github.com/itzg/mc-image-helper/releases/download/v${MC_HELPER_VERSION}
 RUN curl -fsSL ${MC_HELPER_BASE_URL}/mc-image-helper-${MC_HELPER_VERSION}.tgz \
     | tar -C /usr/share -zxf - \
@@ -78,15 +78,14 @@ ENV UID=1000 GID=1000 \
   ENABLE_AUTOPAUSE=false AUTOPAUSE_TIMEOUT_EST=3600 AUTOPAUSE_TIMEOUT_KN=120 AUTOPAUSE_TIMEOUT_INIT=600 \
   AUTOPAUSE_PERIOD=10 AUTOPAUSE_KNOCK_INTERFACE=eth0
 
-COPY scripts/start* /
-COPY bin/ /usr/local/bin/
-COPY bin/mc-health /health.sh
-COPY files/server.properties /tmp/server.properties
-COPY files/log4j2.xml /tmp/log4j2.xml
-COPY files/autopause /autopause
+COPY --chmod=755 scripts/start* /
+COPY --chmod=755 bin/ /usr/local/bin/
+COPY --chmod=755 bin/mc-health /health.sh
+COPY --chmod=644 files/server.properties /tmp/server.properties
+COPY --chmod=644 files/log4j2.xml /tmp/log4j2.xml
+COPY --chmod=755 files/autopause /autopause
 
-RUN dos2unix /start* && chmod +x /start* \
-    && dos2unix /autopause/* && chmod +x /autopause/*.sh
+RUN dos2unix /start* /autopause/*
 
 ENTRYPOINT [ "/start" ]
 HEALTHCHECK --start-period=1m CMD mc-health

README.md

@@ -134,7 +134,7 @@ By default, the container will download the latest version of the "vanilla" [Min
    * [Running on RaspberryPi](#running-on-raspberrypi)
    * [Contributing](#contributing)
 
-<!-- Added by: runner, at: Tue Dec  7 03:43:47 UTC 2021 -->
+<!-- Added by: runner, at: Sat Dec 11 22:09:10 UTC 2021 -->
 
 <!--te-->
 
@@ -846,30 +846,35 @@ values.
 
 > **NOTE** it is very important to set this with servers exposed to the internet where you want only limited players to join.
 
-To whitelist players for your Minecraft server, pass the Minecraft usernames separated by commas via the `WHITELIST` environment variable, such as
+To whitelist players for your Minecraft server, you can:
+- Provide the url or path to a whitelist file via `WHITELIST_FILE` environment variable  
+    `docker run -d -e WHITELIST_FILE=/extra/whitelist.json ...`
+- Provide a list of usernames and/or UUIDs separated by commas via the `WHITELIST` environment variable  
+    `docker run -d -e WHITELIST=user1,uuid2 ...`
 
-    docker run -d -e WHITELIST=user1,user2 ...
+To enforce the whitelist and auto-kick players not included in whitelist configuration, set `ENFORCE_WHITELIST=TRUE`. **By default** any user can join your Minecraft server if it's publicly accessible, regardless of your whitelist configuration.
 
-or 
+If whitelist configuration already exists, `WHITELIST_FILE` will not be retrieved and any usernames in `WHITELIST` are **added** to the whitelist configuration. You can enforce regeneration of the whitelist on each server startup by setting `OVERRIDE_WHITELIST` to "true". This will delete the whitelist file before processing whitelist configuration.
 
-    docker run -d -e WHITELIST=uuid1,uuid2 ...
+> NOTE: You can provide both `WHITELIST_FILE` and `WHITELIST`, which are processed in that order.
 
-If the `WHITELIST` environment variable is not used, any user can join your Minecraft server if it's publicly accessible.
+> NOTE: UUIDs passed via `WHITELIST` need to be the dashed variant, otherwise it not be recognised and instead added as a username.
 
-> NOTE: When using uuids in the whitelist, please make sure it is the dashed variant otherwise it will not parse correctly.
+> If running Minecraft 1.7.5 or earlier, these variables will apply to `white-list.txt`, with 1.7.6 implementing support for `whitelist.json`. Make sure your `WHITELIST_FILE` is in the appropriate format.
 
-> NOTE: When `WHITELIST` is used the server properties `white-list` and `whitelist` will automatically get set to `true`.
+If either `WHITELIST_FILE` or `WHITELIST` is provided, the server property `white-list` is automatically set to `true`, enabline whitelist functionality. Alternatively you can set `ENABLE_WHITELIST=TRUE` to only set the server property `white-list` without modifying the whitelist file. In this case the whitelist can be managed using the `whitelist add` and `whitelist remove` commands. Remember you can set enforcement via the `ENFORCE_WHITELIST` variable.
 
-> By default, the players in `WHITELIST` are **added** to the final `whitelist.json` file by the Minecraft server. If you set `OVERRIDE_WHITELIST` to "true" then the `whitelist.json` file will be recreated on each server startup.
-
-Alternatively, you can set `ENABLE_WHITELIST=true` to only set the server properties `white-list` and `whitelist` without modifying the whitelist file. In this case the whitelist is solely managed using the `whitelist add` and `whitelist remove` commands.
 ### Op/Administrator Players
 
-To add more "op" (aka adminstrator) users to your Minecraft server, pass the Minecraft usernames separated by commas via the `OPS` environment variable, such as
+Similar to the whitelist, to add users as operators (aka adminstrators) to your Minecraft server, you can:
+- Provide te url or path to an ops file via `OPS_FILE` environment variable  
+    `docker run -d -e OPS_FILE=https://config.example.com/extra/ops.json ...`
+- Provide a list of usernames and/or UUIDs separated by commas via the `OPS` environment variable  
+    `docker run -d -e OPS=user1,uuid2 ...`
 
-    docker run -d -e OPS=user1,user2 ...
+If ops configuration already exists, `OPS_FILE` will not be retrieved and any usernames in `OPS` are **added** to the ops configuration. You can enforce regeneration of the ops configuration on each server startup by setting `OVERRIDE_OPS` to "true". This will delete the ops file before processing ops configuration.
 
-> By default, the players in `OPS` are **added** to the final `ops.json` file by the Minecraft server. If you set `OVERRIDE_OPS` to "true" then the `ops.json` file will be recreated on each server startup.
+> Similar to whitelists, you can provide both `OPS_FILE` and `OPS`, and Minecraft 1.7.5 or earlier will use `ops.txt` rather than `ops.json`.
 
 ### Server icon
 
@@ -1327,6 +1332,8 @@ If you would like to `docker attach` to the Minecraft server console with color
 > This will bypass graceful server shutdown handling when using `docker stop`, so be sure the server console's `stop` command.
 > 
 > Make to enable stdin and tty with `-it` when using `docker run` or `stdin_open: true` and `tty: true` when using docker compose.
+>
+> This feature is incompatible with Autopause and cannot be set when `ENABLE_AUTOPAUSE=true`.
 
 ### Server Shutdown Options
 
@@ -1444,6 +1451,8 @@ Enable the Autopause functionality by setting:
 -e ENABLE_AUTOPAUSE=TRUE
 ```
 
+Autopause is not compatible with `EXEC_DIRECTLY=true` and the two cannot be set together.
+
 The following environment variables define the behaviour of auto-pausing:
 * `AUTOPAUSE_TIMEOUT_EST`, default `3600` (seconds)
   describes the time between the last client disconnect and the pausing of the process (read as timeout established)

docker-versions-create.sh

@@ -130,3 +130,28 @@ EOL
   fi
 
 done
+
+if [[ $tag ]]; then
+  if [ -f "$HOME/.github.env" ]; then
+    source "$HOME/.github.env"
+    if [[ $GITHUB_TOKEN ]]
+    then
+      auth=(-u ":$GITHUB_TOKEN")
+      base=https://api.github.com
+      : "${owner:=itzg}"
+      : "${repo:=docker-minecraft-server}"
+      read -r -d '' releaseBody << EOF
+        {
+          "tag_name": "$tag",
+          "name": "$tag",
+          "generate_release_notes": true
+        }
+EOF
+      if ! curl "${auth[@]}" -H "Accept: application/vnd.github.v3+json" \
+        "${base}/repos/${owner}/${repo}/releases" -d "$releaseBody"; then
+          echo "ERROR failed to create github release $tag"
+          exit 1
+      fi
+    fi
+  fi
+fi

scripts/start-configuration

@@ -32,6 +32,10 @@ if [ ! -e /data/eula.txt ]; then
   writeEula
 fi
 
+if isTrue "${ENABLE_AUTOPAUSE}" && isTrue "${EXEC_DIRECTLY:-false}"; then
+    log "EXEC_DIRECTLY=true is incompatible with ENABLE_AUTOPAUSE=true"
+    exit 1
+fi
 
 if [[ $PROXY ]]; then
     export http_proxy="$PROXY"
@@ -111,12 +115,14 @@ case "${TYPE^^}" in
   ;;
 
   FORGE)
+    if versionLessThan 1.17; then
     log "**********************************************************************"
     log "WARNING: The image tag itzg/minecraft-server:java8 is recommended"
     log "         since some mods require Java 8"
     log "         Exception traces reporting ClassCastException: class jdk.internal.loader.ClassLoaders\$AppClassLoader"
     log "         can be fixed with java8"
     log "**********************************************************************"
+    fi
     exec ${SCRIPTS:-/}start-deployForge "$@"
   ;;
 

scripts/start-deployAirplane

@@ -1,10 +1,11 @@
 #!/bin/bash
-set -euo pipefail
-IFS=$'\n\t'
 
 . ${SCRIPTS:-/}start-utils
+set -euo pipefail
 isDebugging && set -x
 
+IFS=$'\n\t'
+
 if [ "${VERSION}" != "LATEST" ] && [ "${VERSION}" != "1.16" ] && [ "${VERSION}" != "1.17" ] && [ "${VERSION}" != "PURPUR" ] && [ "${VERSION}" != "PURPUR-1.16" ] ; then
   log "ERROR: Airplane server type only supports VERSION=LATEST, VERSION=1.17, VERSION=1.16, VERSION=PURPUR or VERSION=PURPUR-1.16. Note that these are branches, not #.#.# versions."
   exit 1
@@ -35,6 +36,12 @@ log "Using Airplane-${AIRPLANE_BRANCH} branch"
 
 export SERVER=airplane-${AIRPLANE_BRANCH}-${AIRPLANE_BUILD}.jar
 
+log "Removing old Airplane versions ..."
+shopt -s nullglob
+for f in airplane-*.jar; do
+  [[ $f != $SERVER ]] && rm $f
+done
+
 if [ ! -f "$SERVER" ] || isTrue "${FORCE_REDOWNLOAD:-false}"; then
     downloadUrl="https://ci.tivy.ca/job/Airplane-${AIRPLANE_BRANCH}/${AIRPLANE_BUILD}/artifact/launcher-${AIRPLANE_TYPE}.jar"
     log "Downloading Airplane from $downloadUrl ..."
@@ -47,6 +54,7 @@ fi
 
 # Normalize on Spigot for later operations
 export TYPE=SPIGOT
+export FAMILY=SPIGOT
 export SKIP_LOG4J_CONFIG=true
 
 exec ${SCRIPTS:-/}start-spiget "$@"

scripts/start-deployBukkitSpigot

@@ -127,6 +127,7 @@ fi
 
 # Normalize on Spigot for operations below
 export TYPE=SPIGOT
+export FAMILY=SPIGOT
 export SKIP_LOG4J_CONFIG=true
 
 exec ${SCRIPTS:-/}start-spiget "$@"

scripts/start-deployCF

@@ -233,4 +233,5 @@ elif [ -e "${FTB_DIR}/Install.sh" ]; then
   popd
 fi
 
+export FAMILY=FORGE
 exec "${SCRIPTS:-/}start-setupWorld" "$@"

scripts/start-deployCanyon

@@ -44,6 +44,7 @@ fi
 
 # Normalize on Spigot for later operations
 export TYPE=SPIGOT
+export FAMILY=SPIGOT
 export SKIP_LOG4J_CONFIG=true
 
 exec ${SCRIPTS:-/}start-spiget "$@"

scripts/start-deployCatserver

@@ -28,5 +28,6 @@ fi
 
 export SKIP_LOG4J_CONFIG=true
 
+export FAMILY=HYBRID
 # Continue to Final Setup
 exec ${SCRIPTS:-/}start-setupWorld "$@"

scripts/start-deployCrucible

@@ -56,5 +56,6 @@ fi
 
 export SERVER
 export SKIP_LOG4J_CONFIG=true
+export FAMILY=HYBRID
 
 exec "${SCRIPTS:-$(dirname "$0")}/start-setupWorld" "$@"

scripts/start-deployCustom

@@ -31,5 +31,5 @@ else
 fi
 
 export SKIP_LOG4J_CONFIG=true
-
+export FAMILY=HYBRID
 exec ${SCRIPTS:-/}start-setupWorld $@

scripts/start-deployFTBA

@@ -79,4 +79,5 @@ if ! [ -v SERVER ]; then
   exit 2
 fi
 
+export FAMILY=FORGE
 exec ${SCRIPTS:-/}start-setupWorld $@

scripts/start-deployFabric

@@ -69,4 +69,5 @@ if [[ ! -e ${SERVER} ]]; then
   mv fabric-server-launch.jar "${SERVER}"
 fi
 
+export FAMILY=FABRIC
 exec ${SCRIPTS:-/}start-setupWorld "$@"

scripts/start-deployForge

@@ -147,4 +147,5 @@ else
   fi
 fi
 
+export FAMILY=FORGE
 exec "${SCRIPTS:-/}start-setupWorld" "$@"

scripts/start-deployLimbo

@@ -60,4 +60,5 @@ export LEVEL
 
 export SKIP_LOG4J_CONFIG=true
 
+export FAMILY=LIMBO
 exec ${SCRIPTS:-/}start-setupWorld $@

scripts/start-deployMagma

@@ -89,4 +89,5 @@ else
   fi
 fi
 
-exec ${SCRIPTS:-/}start-setupWorld $@
+export FAMILY=HYBRID
+exec ${SCRIPTS:-/}start-setupWorld "$@"

scripts/start-deployMohist

@@ -40,4 +40,5 @@ fi
 
 export SKIP_LOG4J_CONFIG=true
 
+export FAMILY=HYBRID
 exec "${SCRIPTS:-$(dirname "$0")}/start-setupWorld" "$@"

scripts/start-deployPaper

@@ -74,6 +74,7 @@ fi
 
 # Normalize on Spigot for downstream operations
 export TYPE=SPIGOT
+export FAMILY=SPIGOT
 export SKIP_LOG4J_CONFIG=true
 
 exec ${SCRIPTS:-/}start-spiget "$@"

scripts/start-deployPurpur

@@ -32,6 +32,7 @@ fi
 
 # Normalize on Spigot for later operations
 export TYPE=SPIGOT
+export FAMILY=SPIGOT
 export SKIP_LOG4J_CONFIG=true
 
 exec ${SCRIPTS:-/}start-spiget "$@"

scripts/start-deploySpongeVanilla

@@ -37,4 +37,5 @@ if [ ! -e $SERVER ] || [ -n "$FORCE_REDOWNLOAD" ]; then
   curl -sSL -o $SERVER https://repo.spongepowered.org/maven/org/spongepowered/$TYPE/$SPONGEVERSION/$SERVER
 fi
 
-exec ${SCRIPTS:-/}start-setupWorld $@
+export FAMILY=SPONGE
+exec ${SCRIPTS:-/}start-setupWorld "$@"

scripts/start-deployVanilla

@@ -52,5 +52,5 @@ elif [[ -L /data/minecraft_server.jar ]]; then
 fi
 
 isDebugging && ls -l
-
+export FAMILY=VANILLA
 exec "${SCRIPTS:-/}start-setupWorld" "$@"

scripts/start-finalExec

@@ -3,28 +3,93 @@
 . ${SCRIPTS:-/}start-utils
 isDebugging && set -x
 
-if [ -n "$OPS" ]; then
-  log "Updating ops"
-  rm -f /data/ops.txt.converted
-  echo $OPS | awk -v RS=, '{print}' > /data/ops.txt
-fi
-if isTrue "${OVERRIDE_OPS}"; then
-  log "Recreating ops.json file at server startup"
-  rm -f /data/ops.json
+if versionLessThan 1.7.6; then
+  opsFile=ops.txt
+  whitelistFile=white-list.txt
+else
+  opsFile=ops.json
+  whitelistFile=whitelist.json
 fi
 
-if [ -n "$WHITELIST" ]; then
-  log "Updating whitelist"
-  rm -f /data/white-list.txt.converted
-  if [[ $WHITELIST == *"-"* ]]; then
-    echo $WHITELIST | awk -v RS=, '{print}' | xargs -l -i curl -s https://playerdb.co/api/player/minecraft/{} | jq -r '.["data"]["player"] | {"uuid": .id, "name": .username}' | jq -s . > "whitelist.json"
+function process_user_file() {
+  local output=$1
+  local source=$2
+
+  if isURL "$source"; then
+    log "Downloading $output from $source"
+    if ! get -o /data/$output "$source"; then
+      log "ERROR: failed to download from $source"
+      exit 2
+    fi
   else
-    echo $WHITELIST | awk -v RS=, '{print}' > /data/white-list.txt
+    log "Copying $output from $source"
+    if ! cp "$source" /data/$output; then
+      log "ERROR: failed to copy from $source"
+      exit 1
+    fi
   fi
+}
+
+function process_user_csv() {
+  local output=$1
+  local list=$2
+  local playerDataList
+
+  if [[ "$output" == *"ops"* ]]; then
+    # Extra data for ops.json
+    userData='{"uuid": .id, "name": .username, "level": 4}'
+  else
+    userData='{"uuid": .id, "name": .username}'
+  fi
+
+  log "Updating ${output%.*}"
+  for i in ${list//,/ }
+  do
+    if [ -e "$output" ] && grep -q "$i" "$output"; then
+      log "$i already present in $output, skipping"
+      continue
+    fi
+    if ! playerData=$(get "https://playerdb.co/api/player/minecraft/$i" | jq -re ".data.player"); then
+      log "WARNING: Could not lookup user $i for ${output} addition"
+    else
+      playerDataList=$playerDataList$(echo $playerData | jq -r "$userData")
+    fi
+  done
+  local newUsers=$(echo $playerDataList | jq -s .)
+  if [[ $output =~ .*\.txt ]]; then
+    # username list for txt config (Minecraft <= 1.7.5)
+    echo $newUsers | jq -r '.[].name' >> /data/${output}
+    sort -u /data/${output} -o /data/${output}
+  elif [ -e /data/${output} ]; then
+    # Merge with existing json file
+    local currentUsers=$(cat /data/${output})
+    jq --argjson current "$currentUsers" --argjson new "$newUsers" -n '$new + $current | unique_by(.uuid)' > /data/${output}
+  else
+    # New json file
+    echo $newUsers > /data/${output}
+  fi
+}
+
+if isTrue "${OVERRIDE_OPS}"; then
+  log "Recreating ${opsFile} file at server startup"
+  rm -f /data/${opsFile}
 fi
+if [ -n "${OPS_FILE}" ] && [ ! -e "/data/${opsFile}" ]; then
+  process_user_file ${opsFile} "$OPS_FILE"
+fi
+if [ -n "${OPS}" ]; then
+  process_user_csv ${opsFile} "$OPS"
+fi
+
 if isTrue "${OVERRIDE_WHITELIST}"; then
-  log "Recreating whitelist.json file at server startup"
-  rm -f /data/whitelist.json
+  log "Recreating ${whitelistFile} file at server startup"
+  rm -f /data/${whitelistFile}
+fi
+if [ -n "${WHITELIST_FILE}" ] && [ ! -e "/data/${whitelistFile}" ]; then
+  process_user_file ${whitelistFile} "$WHITELIST_FILE"
+fi
+if [ -n "${WHITELIST}" ]; then
+  process_user_csv ${whitelistFile} "$WHITELIST"
 fi
 
 if [ -n "$ICON" ]; then
@@ -42,7 +107,36 @@ if [ -n "$ICON" ]; then
     fi
 fi
 
+canUseRollingLogs=true
+
+patchLog4jConfig() {
+  file=${1?}
+  url=${2?}
+  if ! get -o "$file" "$url"; then
+    log "ERROR: failed to download corrected log4j config"
+    exit 1
+  fi
+  JVM_OPTS="-Dlog4j.configurationFile=${file} ${JVM_OPTS}"
+  canUseRollingLogs=false
+}
+
+# Patch Log4j remote code execution vulnerability
+# See https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
+if versionLessThan 1.7; then
+  : # No patch required here.
+elif isFamily VANILLA && versionLessThan 1.12; then
+  patchLog4jConfig log4j2_17-111.xml https://launcher.mojang.com/v1/objects/dd2b723346a8dcd48e7f4d245f6bf09e98db9696/log4j2_17-111.xml
+elif isFamily VANILLA && versionLessThan 1.17; then
+  patchLog4jConfig log4j2_112-116.xml https://launcher.mojang.com/v1/objects/02937d122c86ce73319ef9975b58896fc1b491d1/log4j2_112-116.xml
+elif versionLessThan 1.18.1; then
+  JVM_OPTS="-Dlog4j2.formatMsgNoLookups=true ${JVM_OPTS}"
+fi
+
 if isTrue ${ENABLE_ROLLING_LOGS:-false}; then
+  if ! ${canUseRollingLogs}; then
+    log "ERROR: Using rolling logs is currently not possible in the selected version due to CVE-2021-44228"
+    exit 1
+  fi
   # Set up log configuration
   LOGFILE="/data/log4j2.xml"
   if [ ! -e "$LOGFILE" ]; then
@@ -85,9 +179,6 @@ if [ -n "$JVM_DD_OPTS" ]; then
       done
 fi
 
-# Patch Log4j remote code execution vulnerability
-JVM_OPTS="-Dlog4j2.formatMsgNoLookups=true ${JVM_OPTS}"
-
 if isTrue ${ENABLE_JMX}; then
   : ${JMX_PORT:=7091}
   JVM_OPTS="${JVM_OPTS}

scripts/start-setupServerProperties

@@ -33,15 +33,18 @@ function setServerProp {
 }
 
 function customizeServerProps {
-  if [ -n "$WHITELIST" ] || isTrue "${ENABLE_WHITELIST:-false}"; then
-    log "Creating whitelist"
-    setServerPropValue "whitelist" "true"
+  # Whitelist processing
+  if [ -n "$WHITELIST" ] || [ -n "$WHITELIST_FILE" ] || isTrue "${ENABLE_WHITELIST:-false}"; then
+    log "Enabling whitelist functionality"
     setServerPropValue "white-list" "true"
   else
-    log "Disabling whitelist"
-    setServerPropValue "whitelist" "false"
+    log "Disabling whitelist functionality"
     setServerPropValue "white-list" "false"
   fi
+  setServerProp "enforce-whitelist" ENFORCE_WHITELIST
+  if [[ $(grep "enforce-whitelist" $SERVER_PROPERTIES) != *true ]]; then
+    log "WARNING: whitelist enabled but not enforced. Set ENFORCE_WHITELIST=TRUE or update 'enforce-whitelist' in server.properties to enforce the whitelist."
+  fi
 
   # If not provided, generate a reasonable default message-of-the-day,
   # which shows up in the server listing in the client
@@ -104,7 +107,6 @@ function customizeServerProps {
   setServerProp "op-permission-level" OP_PERMISSION_LEVEL
   setServerProp "prevent-proxy-connections" PREVENT_PROXY_CONNECTIONS
   setServerProp "use-native-transport" USE_NATIVE_TRANSPORT
-  setServerProp "enforce-whitelist" ENFORCE_WHITELIST
   setServerProp "simulation-distance" SIMULATION_DISTANCE
   setServerPropValue "motd" "$(echo "$MOTD" | mc-image-helper asciify)"
   [[ $LEVEL_TYPE ]] && setServerPropValue "level-type" "${LEVEL_TYPE^^}"

scripts/start-utils

@@ -112,34 +112,7 @@ function normalizeMemSize() {
 }
 
 function versionLessThan() {
-  local activeParts
-  version=${VANILLA_VERSION%%-*} # for snapshot/rc versions
-  version=${version##b} # for versions like b1.7.3
-  IFS=. read -ra activeParts <<<"${version}"
-
-  local givenParts
-  IFS=. read -ra givenParts <<<"$1"
-
-  if ((${#activeParts[@]} < 2)); then
-    return 1
-  fi
-
-  if ((${#activeParts[@]} == 2)); then
-    if ((activeParts[0] < givenParts[0])) ||
-      ((activeParts[0] == givenParts[0] && activeParts[1] < givenParts[1])); then
-      return 0
-    else
-      return 1
-    fi
-  else
-    if ((activeParts[0] < givenParts[0])) ||
-      ((activeParts[0] == givenParts[0] && activeParts[1] < givenParts[1])) ||
-      ((activeParts[0] == givenParts[0] && activeParts[1] == givenParts[1] && activeParts[2] < givenParts[2])); then
-      return 0
-    else
-      return 1
-    fi
-  fi
+  mc-image-helper compare-versions "${VANILLA_VERSION}" lt "${1?}"
 }
 
 requireVar() {
@@ -163,7 +136,7 @@ requireEnum() {
     fi
   done
 
-  log "ERROR: $var must be set to one of $@"
+  log "ERROR: $var must be set to one of $*"
 #  exit 1
 }
 
@@ -189,4 +162,13 @@ function get() {
     flags+=("--debug")
   fi
   mc-image-helper "${flags[@]}" get "$@"
+}
+
+function isFamily() {
+  for f in "${@}"; do
+    if [[ $FAMILY == "$f" ]]; then
+      return 0
+    fi
+  done
+  return 1
 }