[BUG] Install via Git fails when running with sudo (no access to SSH_AUTH_SOCK) about pacote HOT 4 OPEN

Yeah, I like that. We can definitely detect and print some helpful guidance. I think pacote itself should probably ultimately still do what it's currently doing, since it's usually the right thing, and more reliable than trying to chmod after the checkout.

from pacote.

Actually, looking into this again this morning, i forgot one thing in my 'When': The SSH agent socket of course needs to be owned by root, as in my STR.

If you're running sudo as an unprivileged user, and you've got it set up to pass that user's agent socket through, when pacote drops privileges it'll (normally) drop to that user's UID, which should match the socket, and that'll be fine. In my case, sudo is being used by an unprivileged user to run an automated build script, and that script is what's setting up the agent.

(Also, in case it wasn't clear, this did work fine for several years; it only just broke now after an NPM update)

from pacote.

So, if I'm reading this correctly, if you change the sudo sh -c '... to sudo -i sh -c '... or sudo -H sh -c '... then it works?

It's not too hard to detect the permission failure and tell the user to try that. Turning off the priv drop would be kind of hazardous, as for every one person affected by this issue, there are dozens who get stuff into a weird state with root-owned files in their cache directory.

What we might be able to do is turn off the priv drop, but then do a chown -R on the checked out files. That's somewhat less reliable, because the chown is yet another thing that can fail, but at least we'd be trying to leave stuff in a non-broken state.

from pacote.

So, if I'm reading this correctly, if you change the sudo sh -c '... to sudo -i sh -c '... or sudo -H sh -c '... then it works?

Yes. In that case, sudo will set (probably) HOME=/root, which is where it'll look for (or create) the cache directory, and since that directory will (probably) be owned by the same user that's running npm (root) it won't try to drop privileges.

Like i said, i'm not very familiar with NPM stuff, so i'm not sure what would be the best way for the tool to account for this situation, or if it should. But, speaking for myself, it would have been helpful if it had just printed a warning message like pip does telling you that it might cause problems. For reference, pip's message looks like this:

The directory '/home/foo/.cache/pip' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.

from pacote.