sudo npm deletes ownership of root #4312
Labels
Bug
thing that needs fixing
Priority 2
secondary priority issue
Release 8.x
work is associated with a specific npm 8 release
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
After installing node with the following commands
$ sudo curl -sL https://deb.nodesource.com/setup_17.x | sudo -E bash -
$ sudo apt-get install -y nodejs
$ sudo apt-get install -y nodejs
$ sudo npm --version: 8.3.1
$ sudo node --version v17.4.0
$ git clone https://github.com/Koenkk/zigbee2mqtt.git /opt/zigbee2mqtt
... owned by user.group openhabian. openhabian$ cd /opt/zigbee2mqtt
$ sudo npm ci
I got prompted with
1 high severity vulnerability To address all issues, run: npm audit fix
Run npm install -g [email protected] to update!
and then:
$ sudo npm audit
Prompts to:
# npm audit report
follow-redirects <1.14.7
Severity: highExposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
fix available via npm audit fix
node_modules/zigbee-herdsman-converters/node_modules/follow-redirects
marked <4.0.10
Severity: high
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
fix available via "npm audit fix"
node_modules/zigbee-herdsman-converters/node_modules/zigbee-herdsman/node_modules/marked
node_modules/zigbee-herdsman/node_modules/marked
typedoc <=0.22.10 || >=1.0.0-dev.1
Depends on vulnerable versions of marked
node_modules/zigbee-herdsman-converters/node_modules/zigbee-herdsman/node_modules/typedoc
node_modules/zigbee-herdsman/node_modules/typedoc
3 high severity vulnerabilities
To address all issues, run:
npm audit fix
When I finally ran the update:
$ sudo npm install -g [email protected]
changed 17 packages, and audited 215 packages in 8s
11 packages are looking for funding
run
npm fundfor details
3 moderate severity vulnerabilities
To address all issues, run:
npm audit fix
Run "npm audit" for details.
And just then the system ist destroyed, for example:
$ sudo npm audit
Prompts with:
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
Also many other files belong to 1001 then, e.g. th whole directory /usr/bin :
ls -l /usr/bin/sudo
-rwxr-xr-x 1 1001 1001 147560 Jan 20 2021 /usr/bin/sudo
Expected Behavior
The installation must not change ownership on vital resources of the system, especially it must not revoke the access rights of root!
Steps To Reproduce
After installing node with the following commands
$ sudo curl -sL https://deb.nodesource.com/setup_17.x | sudo -E bash -
$ sudo apt-get install -y nodejs
$ sudo apt-get install -y nodejs
$ sudo npm --version: 8.3.1
$ sudo node --version v17.4.0
$ git clone https://github.com/Koenkk/zigbee2mqtt.git /opt/zigbee2mqtt
... owned by user.group openhabian. openhabian$ cd /opt/zigbee2mqtt
$ sudo npm ci
I got prompted with
1 high severity vulnerability To address all issues, run: npm audit fix
Run npm install -g [email protected] to update!
and then:
$ sudo npm audit
Prompts to:
# npm audit report
follow-redirects <1.14.7
Severity: highExposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
fix available via npm audit fix
node_modules/zigbee-herdsman-converters/node_modules/follow-redirects
marked <4.0.10
Severity: high
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
fix available via "npm audit fix"
node_modules/zigbee-herdsman-converters/node_modules/zigbee-herdsman/node_modules/marked
node_modules/zigbee-herdsman/node_modules/marked
typedoc <=0.22.10 || >=1.0.0-dev.1
Depends on vulnerable versions of marked
node_modules/zigbee-herdsman-converters/node_modules/zigbee-herdsman/node_modules/typedoc
node_modules/zigbee-herdsman/node_modules/typedoc
3 high severity vulnerabilities
To address all issues, run:
npm audit fix
When I finally ran the update:
$ sudo npm install -g [email protected]
changed 17 packages, and audited 215 packages in 8s
11 packages are looking for funding
run
npm fundfor details
3 moderate severity vulnerabilities
To address all issues, run:
npm audit fix
Run "npm audit" for details.
And just then the system ist destroyed, for example:
$ sudo npm audit
Prompts with:
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
Also many other files belong to 1001 then, e.g. th whole directory /usr/bin :
ls -l /usr/bin/sudo
-rwxr-xr-x 1 1001 1001 147560 Jan 20 2021 /usr/bin/sudo
Environment
; copy and paste output from `npm config ls` here
The text was updated successfully, but these errors were encountered: