[BUG] npm refuses to run if the home directory is inaccessible

[ChlodAlejandro]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Currently happens on npm 8.6.0 and later. Attempting to run any npm command if the user's home directory does not exist (possible for system-only Linux users) makes npm exit without having output anything (well, it does output a newline) and returns with an error code of 243.

Expected Behavior

npm commands should work as expected. Even basic commands, such as showing the version (npm -v) provide no output and also exit with the aforementioned error code.

Steps To Reproduce

1. Have no home directory (sudo adduser --system --no-create-home test)
2. Install npm 8.6.0 or 8.7.0.
3. Attempt to run any npm command.

The following shell logs demonstrate the issue. Reproduction done in a Debian docker container to avoid spinning up a whole VM just to test this with a clean slate.

root@c2f1f15a3d97:/test# npm i -g [email protected]

added 1 package, and audited 218 packages in 8s

11 packages are looking for funding
  run `npm fund` for details

1 moderate severity vulnerability

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

root@c2f1f15a3d97:/test$ npm -v
8.5.0
root@c2f1f15a3d97:/test# su test -s /bin/bash
test@c2f1f15a3d97:/test$ ls ~
ls: cannot access '/home/test': No such file or directory
test@c2f1f15a3d97:/test$ npm -v
8.5.0
test@c2f1f15a3d97:/test$ exit
exit
root@c2f1f15a3d97:/test# npm i -g [email protected]

removed 20 packages, changed 63 packages, and audited 201 packages in 7s

10 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
npm notice
npm notice New minor version of npm available! 8.5.0 -> 8.7.0
npm notice Changelog: https://github.com/npm/cli/releases/tag/v8.7.0
npm notice Run npm install -g [email protected] to update!
npm notice
root@c2f1f15a3d97:/test# su test -s /bin/bash
test@c2f1f15a3d97:/test$ npm -v

test@c2f1f15a3d97:/test$ npm -ddd -v

test@c2f1f15a3d97:/test$ npm -v --timing

test@c2f1f15a3d97:/test$ echo $?
243
test@c2f1f15a3d97:/test$ ls -la
total 8
drwxr-xr-x 2 test root 4096 Apr 17 11:45 .
drwxr-xr-x 1 root root 4096 Apr 17 11:45 ..
test@c2f1f15a3d97:/test$ exit
exit
root@c2f1f15a3d97:/test# npm i -g [email protected]

removed 6 packages, changed 50 packages, and audited 197 packages in 19s

10 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
root@c2f1f15a3d97:/test# npm -v
8.7.0
root@c2f1f15a3d97:/test# su test -s /bin/bash
test@c2f1f15a3d97:/test$ npm -v -ddd

test@c2f1f15a3d97:/test$ echo $?
243
test@c2f1f15a3d97:/test$

Environment

• npm: 8.6.0, 8.7.0
• Node.js: v16.14.2
• OS Name: Debian
• System Model Name: Hetzner CX21 Virtual Private Server
• npm config:

; npm config -ls returns no output.

[marcchanwork]

Not sure if this related, but I also have an issue with a nonroot user not being able to run npm cli for v8.6.0 and above. (Working for v8.5.5). NPM crashes (?) with new line returned with error code 254.
Some workarounds I did was to set both prefix and cache to nonroot user directory, which allows npm to run as expected.

However, I am still having permission issues for the logs:
npm WARN logfile could not be created: Error: EROFS: read-only file system, open '/home/node/.npm-global/_logs/2022-04-29T12_56_24_184Z-debug-0.log'

[salvozappa]

When npm is run by a user without a home folder, the home folder is set to /.

This is the "normal" behaviour, even for older versions of npm not affected by this issue.
See:

docker run --user $(id -u $USER) --rm node:16.15.0 npm config get
; node bin location = /usr/local/bin/node
; cwd = /
; HOME = /
; Run `npm config ls -l` to show all defaults.

Note:
* $USER doesn't have a home folder in the docker image
* This docker image comes with npm 8.5.5, still not affected by this issue

If we run the same command with the latest npm version, we get the crash with exit code 243:

docker run --user $(id -u $USER) --rm node:latest npm config get; echo $?

243

The issue was introduced in 8.6.0, specifically by cc6c094.
When npm is initialised, it tries to create a cache folder in the home folder here. If the home folder is / it will try to create the cache folder in /.npm causing the following error:

{
  errno: -2,
  code: "ENOENT",
  syscall: "mkdir",
  path: "/.npm",
}

This looks to be a permission issue, since npm is not allowed to create a folder in the system root folder.

I guess the behaviour introduced in cc6c094 is fine but I don't think it's a good idea to fallback to / when the user has no home folder.

@lukekarrys any thoughts?

[spaceemotion]

I stumbled upon the same issue today. My docker containers are being run using AWS Lambda. The trick by creating a /.npm folder does not work - since only /tmp is writable.

Declaring the HOME variable in the Dockerfile also does not seem to work properly. Adding it in front of any npm commands does the trick, but is a very hacky solution.

Is there a global config to disable the logging instead having to add --max-log=0 to every command?

[compnski]

This is a very surprising change!

It also breaks read-only container filesystems.
For example: podman run -e --read-only --rm -ti -v .:/app -w /app node:16.15.1 npm run dev

[jstasiak]

We're experiencing the same issue when the user's home directory exists but is not accessible (trying to access it results in error code EACCES/13). npm 8.5.5 logs some warnings and keeps going. npm 8.11.1 dies with exit code 243 (it calls exit(-13) but -13 gets translated to 243).

Node 16.15.1, Linux, inside Docker.

[lukekarrys]

this seems related to #4838 also. i believe the fix will be able to be applied to both

[neilstuartcraig]

Hoping this might help someone:
I hit this bug on Google Cloud Build and it caused my builds to fail on the first step which used npm - the only error output was from Build itself with just said the return code wass 243.

I am using the standard Node Docker images (https://hub.docker.com/_/node/) with security config as per https://snyk.io/blog/10-best-practices-to-containerize-nodejs-web-applications-with-docker/ - the pertinent part being running under the node user rather than root.

It turns out that Cloud Build sets/overrides the HOME env var to /builder/home which causes npm to use that as the home dir (I presume) which fails the build, as mentioned.

The "fix" is to override what Cloud Build sets the environment var to in each Build step which uses npm, e.g.:

- id: run_unit_tests
  name: 'gcr.io/$PROJECT_ID/$_APP_NAME:$SHORT_SHA'
  dir: /usr/local/app
  entrypoint: "npm"
  args: ["run", "unit"]
  env:
    - 'HOME=/home/node'

Anyway, as I say, I hope that helps someone. I have raise the issue with Google and am hoping they'll stop setting the env var which causes the problem - and also, obviously would be good for npm not to fail silently but to describe the error.

[dokterbob]

Hi all, NPM developers,

This bug has been reported in April. It has obvious security implications.
What is the reason this is still open? What is blocking it's resolution?

Thanks for your great work on NPM, a crucial piece of infrastructure.

Cheers,
Mathijs

[ljharb]

@dokterbob what are the security implications? I see none.

[marcchanwork]

@ljharb As a workaround, we are fixing npm version to 8.5.5 in order to run in production with a read-only filesystem. However, there is detected vuln for this version: CVE-2022-29244

If there is a workaround for the current bug, so that we can bump version to the latest npm, it would be very much appreciated. Thanks

[ljharb]

@marcchanwork thats not the security implications of this bug, though.

[dokterbob]

Sorry for belated reply. The security implications is that one is required to give npm write access to the home directory. We can't apply the principle of least privilege this way.

For example, we can't run npm with a nonexistent home directory, or without any write access to the FS for that matter.

(Great to see this seems to be solved.)

[poVoq]

Is it possible that there was a regression on this?

I am on NPM 9.8.1 (from Fedora repos) and are seeing this exact problem when running npm install as a user without a home directory.

[hlovdal]

Related issue: [BUG] Extra .npm directory created in user's home while npm_config_cache set.

[Ukkostaja]

Is it possible that there was a regression on this?

I am on NPM 9.8.1 (from Fedora repos) and are seeing this exact problem when running npm install as a user without a home directory.

same from the official deb source.