Comments (4)
Yeah, I like that. We can definitely detect and print some helpful guidance. I think pacote itself should probably ultimately still do what it's currently doing, since it's usually the right thing, and more reliable than trying to chmod after the checkout.
from pacote.
Actually, looking into this again this morning, i forgot one thing in my 'When': The SSH agent socket of course needs to be owned by root
, as in my STR.
If you're running sudo
as an unprivileged user, and you've got it set up to pass that user's agent socket through, when pacote
drops privileges it'll (normally) drop to that user's UID, which should match the socket, and that'll be fine. In my case, sudo
is being used by an unprivileged user to run an automated build script, and that script is what's setting up the agent.
(Also, in case it wasn't clear, this did work fine for several years; it only just broke now after an NPM update)
from pacote.
So, if I'm reading this correctly, if you change the sudo sh -c '...
to sudo -i sh -c '...
or sudo -H sh -c '...
then it works?
It's not too hard to detect the permission failure and tell the user to try that. Turning off the priv drop would be kind of hazardous, as for every one person affected by this issue, there are dozens who get stuff into a weird state with root-owned files in their cache directory.
What we might be able to do is turn off the priv drop, but then do a chown -R
on the checked out files. That's somewhat less reliable, because the chown is yet another thing that can fail, but at least we'd be trying to leave stuff in a non-broken state.
from pacote.
So, if I'm reading this correctly, if you change the sudo sh -c '... to sudo -i sh -c '... or sudo -H sh -c '... then it works?
Yes. In that case, sudo
will set (probably) HOME=/root
, which is where it'll look for (or create) the cache directory, and since that directory will (probably) be owned by the same user that's running npm
(root
) it won't try to drop privileges.
Like i said, i'm not very familiar with NPM stuff, so i'm not sure what would be the best way for the tool to account for this situation, or if it should. But, speaking for myself, it would have been helpful if it had just printed a warning message like pip
does telling you that it might cause problems. For reference, pip
's message looks like this:
The directory '/home/foo/.cache/pip' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
from pacote.
Related Issues (20)
- [BREAKING] remove log property
- [BUG] out of memory on npm install: fork bomb preparing from git repos if they have scripts HOT 2
- [BUG] config field gets overwritten in package.json HOT 2
- [BUG] Proxy settings appear to be ignored.
- [BUG] _cached field is incorrect
- [BUG] No possibility to embed pacote in single js file HOT 2
- Version 15.0.1 HOT 8
- [BUG] Error when extracting a directory after updating from 13.0.4 to 15.0.3 HOT 2
- [BUG] Unlimited concurrent connections are opened when using http proxy HOT 3
- [BUG] `prepack` is not called on installation of git packages HOT 3
- Reporting a vulnerability HOT 1
- [BUG] SSH retry can retry on directory created by HTTP try tried first
- [BUG] FetcherBase._tarxOptions removes files with identical inodes HOT 1
- [BUG] fullMetadata vs. local packages vs. cache
- [BUG] CDN download doesn't use provided HTTP Authorization token (even if it's provided hardcoded in the URL)
- Update TAR dependency to 6.2.1 for Security Vulnerability HOT 1
- [BUG] Symlink support? HOT 1
- [Feature] Update TAR dependency (Security Vulnerability)
- [QUESTION] pacote and npm-registry-fetch/make-fetch-happen both cache tarballs. HOT 1
- [FEATURE] reduce file extractions on disk
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pacote.