Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sudo npm deletes ownership of root #4312

Closed
2 tasks done
ecoCuyo opened this issue Jan 23, 2022 · 4 comments
Closed
2 tasks done

sudo npm deletes ownership of root #4312

ecoCuyo opened this issue Jan 23, 2022 · 4 comments
Labels
Bug thing that needs fixing Priority 2 secondary priority issue Release 8.x work is associated with a specific npm 8 release

Comments

@ecoCuyo
Copy link

ecoCuyo commented Jan 23, 2022

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

After installing node with the following commands
$ sudo curl -sL https://deb.nodesource.com/setup_17.x | sudo -E bash -
$ sudo apt-get install -y nodejs
$ sudo apt-get install -y nodejs
$ sudo npm --version: 8.3.1
$ sudo node --version v17.4.0
$ git clone https://github.com/Koenkk/zigbee2mqtt.git /opt/zigbee2mqtt ... owned by user.group openhabian. openhabian
$ cd /opt/zigbee2mqtt
$ sudo npm ci
I got prompted with
1 high severity vulnerability To address all issues, run: npm audit fix
Run npm install -g [email protected] to update!
and then:
$ sudo npm audit
Prompts to:
# npm audit report
follow-redirects <1.14.7 Severity: high
Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
fix available via npm audit fix
node_modules/zigbee-herdsman-converters/node_modules/follow-redirects
marked <4.0.10
Severity: high
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
fix available via "npm audit fix"
node_modules/zigbee-herdsman-converters/node_modules/zigbee-herdsman/node_modules/marked
node_modules/zigbee-herdsman/node_modules/marked
typedoc <=0.22.10 || >=1.0.0-dev.1
Depends on vulnerable versions of marked
node_modules/zigbee-herdsman-converters/node_modules/zigbee-herdsman/node_modules/typedoc
node_modules/zigbee-herdsman/node_modules/typedoc
3 high severity vulnerabilities
To address all issues, run:
npm audit fix
When I finally ran the update:
$ sudo npm install -g [email protected]
changed 17 packages, and audited 215 packages in 8s
11 packages are looking for funding
runnpm fund for details
3 moderate severity vulnerabilities
To address all issues, run:
npm audit fix
Run "npm audit" for details.
And just then the system ist destroyed, for example:
$ sudo npm audit
Prompts with:
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
Also many other files belong to 1001 then, e.g. th whole directory /usr/bin :
ls -l /usr/bin/sudo
-rwxr-xr-x 1 1001 1001 147560 Jan 20 2021 /usr/bin/sudo

Expected Behavior

The installation must not change ownership on vital resources of the system, especially it must not revoke the access rights of root!

Steps To Reproduce

  1. In this environment Raspberry 4 on Raspbian buster
  2. With this config... openhab2 installation
    After installing node with the following commands
    $ sudo curl -sL https://deb.nodesource.com/setup_17.x | sudo -E bash -
    $ sudo apt-get install -y nodejs
    $ sudo apt-get install -y nodejs
    $ sudo npm --version: 8.3.1
    $ sudo node --version v17.4.0
    $ git clone https://github.com/Koenkk/zigbee2mqtt.git /opt/zigbee2mqtt ... owned by user.group openhabian. openhabian
    $ cd /opt/zigbee2mqtt
    $ sudo npm ci
    I got prompted with
    1 high severity vulnerability To address all issues, run: npm audit fix
    Run npm install -g [email protected] to update!
    and then:
    $ sudo npm audit
    Prompts to:
    # npm audit report
    follow-redirects <1.14.7 Severity: high
    Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
    fix available via npm audit fix
    node_modules/zigbee-herdsman-converters/node_modules/follow-redirects
    marked <4.0.10
    Severity: high
    Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
    fix available via "npm audit fix"
    node_modules/zigbee-herdsman-converters/node_modules/zigbee-herdsman/node_modules/marked
    node_modules/zigbee-herdsman/node_modules/marked
    typedoc <=0.22.10 || >=1.0.0-dev.1
    Depends on vulnerable versions of marked
    node_modules/zigbee-herdsman-converters/node_modules/zigbee-herdsman/node_modules/typedoc
    node_modules/zigbee-herdsman/node_modules/typedoc
    3 high severity vulnerabilities
    To address all issues, run:
    npm audit fix
    When I finally ran the update:
    $ sudo npm install -g [email protected]
    changed 17 packages, and audited 215 packages in 8s
    11 packages are looking for funding
    runnpm fund for details
    3 moderate severity vulnerabilities
    To address all issues, run:
    npm audit fix
    Run "npm audit" for details.
    And just then the system ist destroyed, for example:
    $ sudo npm audit
    Prompts with:
    sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
    Also many other files belong to 1001 then, e.g. th whole directory /usr/bin :
    ls -l /usr/bin/sudo
    -rwxr-xr-x 1 1001 1001 147560 Jan 20 2021 /usr/bin/sudo

Environment

  • npm version: 8.3.1
  • Node.js: version v17.4.0
  • OS Name: Raspbian
  • System Model Name:
  • npm config:
; copy and paste output from `npm config ls` here
@ecoCuyo ecoCuyo added Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release labels Jan 23, 2022
@ecoCuyo
Copy link
Author

ecoCuyo commented Jan 23, 2022

Full OS-Info:
$ uname -a
Linux openhab 5.10.63-v7l+ #1496 SMP Wed Dec 1 15:58:56 GMT 2021 armv7l GNU/Linux

@nlf nlf added Priority 2 secondary priority issue and removed Needs Triage needs review for next steps labels Mar 8, 2022
@nlf
Copy link
Contributor

nlf commented Mar 8, 2022

this is absolutely a problem. we have begun discussions about how to handle file ownership here npm/rfcs#546

@x-yuri
Copy link

x-yuri commented Oct 15, 2022

@ecoCuyo While the main point is reasonable (npm shouldn't change sudo or other executables), I wonder what makes you run npm --version, node --version, npm ci, and npm audit under sudo? And why do you run npm ci, not npm install?

@nlf
Copy link
Contributor

nlf commented Jan 4, 2023

npm@9 no longer attempts to modify file ownership at all, which should resolve this issue. if you're still seeing problems after updating to the latest npm@9 please feel free to reopen this issue

@nlf nlf closed this as completed Jan 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug thing that needs fixing Priority 2 secondary priority issue Release 8.x work is associated with a specific npm 8 release
Projects
None yet
Development

No branches or pull requests

3 participants