Closed emi2k01 closed 1 year ago
tomgrossman
commented
2 years ago hi, what is the timeline for this? it's critical for stations with end point protection, for example my Macbook with SentinelOne. I can't upgrade my global npm because of this.
theredcat
commented
2 years ago Same issue as https://github.com/npm/cli/issues/3705
theredcat
commented
2 years ago @nlf Could you look at this or pass the information ? It seem a pretty serious issue
jonathanpmartins
commented
2 years ago New minor version of npm available! 8.4.0 -> 8.5.4Node: v14.19.0
I just lost sudo privileges on my server after running sudo npm install -g npm@8.5.4.
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit setThis is bad!
jonathanpmartins
commented
2 years ago @emi2k01 Does this makes sense? https://github.com/npm/cli/issues/3705#issuecomment-1068409070
What is the ownership of you /usr/bin folder?
emi2k01
commented
2 years ago @emi2k01 Does this makes sense? https://github.com/npm/cli/issues/3705#issuecomment-1068409070
What is the ownership of you
/usr/binfolder?
I have no idea, sorry. This was a long time ago and I switched to installing binaries under ~/.local/ since then
wraithgar
commented
2 years ago There is an rrfc open for this https://github.com/npm/rfcs/issues/546
michaelsproul
commented
2 years ago I just encountered a variant of this issue that made me think my entire machine was compromised. npm tried to change the permissions of my local Firefox profile while uninstalling an unrelated global package:
$ sudo npm uninstall ganache-cli
npm ERR! code ENOENT
npm ERR! syscall lchown
npm ERR! path /home/redacted/.mozilla/firefox/xxxx.default-release/storage/default/https+++web.whatsapp.com/idb/9999999999wcaw.sqlite-wal
npm ERR! errno -2
npm ERR! enoent ENOENT: no such file or directory, lchown '/home/redacted/.mozilla/firefox/xxxx.default-release/storage/default/https+++web.whatsapp.com/idb/9999999999wcaw.sqlite-wal'
npm ERR! enoent This is related to npm not being able to find a file.
npm ERR! enoentI'm running an old version of npm (7.5.2) and won't be upgrading, because I would prefer to never run npm on this machine ever again.
ljharb
commented
2 years ago @michaelsproul you should never, ever run npm with sudo unless it’s with -g. Also, leaving an unsupported buggy version of npm on your machine seems decidedly worse than either upgrading it, or uninstalling node and npm.
michaelsproul
commented
2 years ago leaving an unsupported buggy version of npm on your machine seems decidedly worse than either upgrading it, or uninstalling node and npm.
I'm deleting every trace of it right now.
nlf
commented
1 year ago npm@9 no longer attempts to modify file ownership at all, which should resolve this problem. please feel free to reopen this issue if you still experience this after updating to the latest npm@9.
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
After running
sudo npm i -g foofiles under/usr/binthat were owned byrootare now owned by the current user.I ran
sudo npm i -g typescriptand it was installed correctly I think. Then I ransudo npm i -g vscode-langservers-extractedand I gotsudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set.I think the packages I installed are irrelevant because I still get the same errors after installing other packages globally with sudo.
This looks similar to #19883 but as far as I can see, only
/usr/bin/files are affected.Expected Behavior
npm should not change ownership of files under
/usr/binSteps To Reproduce
In this video, you can see what happens. When I stop writing is because I'm going to another tty as root to execute
chown root:root /usr/bin/sudo && chmod 4755 /usr/bin/sudo. The video also shows npm with versionv8.0.0but I updated tov8.1.3and the same thing happens.https://user-images.githubusercontent.com/78516649/140661644-b54fa9ce-7ce1-43de-a1c5-2bd892ce29e6.mov
Environment