Closed strugee closed 7 years ago
Wow didn't know that! Will put dropping privileges
into dep then.
note:
Thanks for the info <3
@watilde happy to help! :tada:
Note that while its understandable that npm does this, it means that scripts can't actually write to disk, often, which makes install scripts not capable of actually installing anything some troubling % of the time.
That's right! I can provide an option unsafe-perm for the install command as a work around, but for now, we don't get any feature requests about it and I'm not sure how many modules require the root permission instead of the normal permission.
Let me research about it! Also, I will open a new issue since it's slightly different topic with this issue. Thanks for your note :)
The README states:
However a better thing to do in this case is to just drop privileges to e.g.
nobody
. This is what npm does and it actually ends up being more secure to run as the root user, since if you run as your regular user then lifecycle scripts have access to everything you do.Side note, this looks like a really interesting project - good luck <3