Drop privileges as root

[strugee]

The README states:

To avoid from the risks related the lifecycle install scripts of the package while installing, dep doesn't allow you to run them if you are running dep install as a root user.

However a better thing to do in this case is to just drop privileges to e.g. nobody. This is what npm does and it actually ends up being more secure to run as the root user, since if you run as your regular user then lifecycle scripts have access to everything you do.

Side note, this looks like a really interesting project - good luck <3

[watilde]

Wow didn't know that! Will put dropping privileges into dep then. note:

• https://docs.npmjs.com/misc/scripts#user
• https://nodejs.org/api/process.html#process_process_initgroups_user_extra_group

Thanks for the info <3

[strugee]

@watilde happy to help! :tada:

[sam-github]

Note that while its understandable that npm does this, it means that scripts can't actually write to disk, often, which makes install scripts not capable of actually installing anything some troubling % of the time.

[watilde]

That's right! I can provide an option unsafe-perm for the install command as a work around, but for now, we don't get any feature requests about it and I'm not sure how many modules require the root permission instead of the normal permission.

Let me research about it! Also, I will open a new issue since it's slightly different topic with this issue. Thanks for your note :)