First of all, why does npm suggest that it should only run as non-root? I highly disbelieve that every other package manager (apt
, yum
, gem
, pacman
) is wrong for requiring sudo.
Second, when I follow their suggestion (and run npm install
as non-root), it won't work (because non-root doesn't have permission to /usr/local/lib). How do I follow their suggestion? I am not going to chown -R $USER /usr/local/lib
, because that seems like a very bad idea to me.
I installed npm via curl http://npmjs.org/install.sh | sudo sh
(the instruction in their README).
When I run sudo npm install mongoose
, npm tells me not to run it as root:
npm ERR! sudon't! npm ERR! sudon't! Running npm as root is not recommended! npm ERR! sudon't! Seriously, don't do this! npm ERR! sudon't!
But when I run npm install mongoose
without sudo I get the following:
npm info it worked if it ends with ok npm info using [email protected] npm info using [email protected] npm info fetch http://registry.npmjs.org/mongoose/-/mongoose-1.0.7.tgz npm info calculating sha1 /tmp/npm-1297199132405/1297199132406-0.7044695958029479/tmp.tgz npm info shasum b3573930a22066fbf3ab745a79329d5eae75b8ae npm ERR! Could not create /usr/local/lib/node/.npm/.cache/mongoose/1.0.7/package.tgz npm ERR! Failed creating the tarball. npm ERR! This is very rare. Perhaps the 'gzip' or 'tar' configs npm ERR! are set improperly? npm ERR! npm ERR! couldn't pack /tmp/npm-1297199132405/1297199132406-0.7044695958029479/contents/package to /usr/local/lib/node/.npm/.cache/mongoose/1.0.7/package.tgz npm ERR! Error installing [email protected] npm ERR! Error: EACCES, Permission denied '/usr/local/lib/node/.npm/.cache/mongoose' npm ERR! There appear to be some permission problems npm ERR! See the section on 'Permission Errors' at npm ERR! http://github.com/isaacs/npm#readme npm ERR! This will get better in the future, I promise. npm not ok
So it tells me I shouldn't use sudo, and then doesn't work if I follow their suggestion.
Which leads to my initial questions above.
On a development machine, you should not install and run Node. js with root permissions, otherwise things like npm link , npm install -g will need the same permissions. NVM (Node Version Manager) allows you to install Node.
From the blog Don't run Node. js as root by Olivier Lalonde: Indeed, if you are running your server as root and it gets hacked through a vulnerability in your code, the attacker will have total control over your machine. This means the attacker could potentially wipe out your whole disk or worse.
Running sudo npm install (without -g ) will create a local directory that can only be altered by the root user. This can really screw things up for you if you try to do npm <something> in the same directory or project later on.
Run “npm config get prefix” in your terminal. This will give the path of global node_modules: For ex: /usr/local. Change the user permissions for this folder by using following command: sudo chown -R <user_id> /usr/local/
Actually, npm does not recommend not running as root. Well, not any more.
It has changed around the same time that you asked your question. This is how the README looked like on February 7, 2011: "Using sudo with npm is Very Not Recommended. Anyone can publish anything, and package installations can run arbitrary scripts." It was explained later in more detail as "Option 4: HOLY COW NOT RECOMMENDED!! You can just use sudo all the time for everything, and ignore the incredibly obnoxious warnings telling you that you're insane for doing this."
See: https://github.com/isaacs/npm/tree/7288a137f3ea7fafc9d4e7d0001a8cd044d3a22e#readme
Now it is actually considered a recommended technique of installing npm:
Simple Install - To install npm with one command, do this:
curl http:/ /npmjs.org/install.sh | sudo sh
See: https://github.com/isaacs/npm/tree/99f804f43327c49ce045ae2c105995636c847145#readme
My advice would be to never do it because it means basically this:
As you can see this is really, literally, with no exaggeration giving root shell to whatever you get after asking for a script from the Internet over an insecure connection with no verification whatsoever. There are at least 5 different things that can go wrong here, any of which can lead to an attacker taking total control over your machine:
Also note that using 'sh' instead of 'sudo sh' is usually not any less risky unless you run it as a different user who doesn't have access to your private data, which is usually not the case.
You should use HTTPS connections if available to download such scripts so you could at least verify who you are talking to, and even then I wouldn't run it without reading first. Unfortunately npmjs.org has a self-signed certificate so it doesn't really help in this case.
Fortunately npm is available on GitHub that has a valid SSL certificate and from where you can download it using secure connection. See: github.com/isaacs/npm for details. But make sure that the npm itself doesn't use insecure connections to download the files that it downloads - there should be an option in npm config.
Hope it helps. Good luck!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With