以超级用户身份运行 npm,这不是一个好主意? [英] Run npm as superuser, it isn't a good idea?
问题描述
在 Linux 上尝试安装/更新没有 SU 权限的软件包时,npm 出现错误.
I'm getting errors with npm while trying to install/update packages without SU permissions on Linux.
解决问题的简单方法是执行sudo npm install ,但我不确定这是否是个好主意.
The easy way to solve the problem is execute sudo npm install <package>, but I'm not sure if it is a good idea.
最好的方法是成为 .npm 文件夹的所有者,正如我在 StackOverflow 的问题和博客文章中发现的那样.
Best way is to become the owner of .npm folder, as I found into StackOverflow's questions and blog posts.
我的问题是:为什么将 npm 作为 SU 运行这不是一个好主意?
My question is: why run npm as SU it isn't a good idea?
推荐答案
以超级用户身份运行 npm 存在以超级用户身份运行一些不受信任的代码的风险,这可能会扰乱整个系统.以非特权用户身份运行 npm 存在以较少特权运行该代码的风险,并且它无法干扰整个系统 - 仅使用您自己的文件(这可能同样糟糕,具体取决于看你怎么看)
Running npm as a super user has a risk of running some untrusted code as a super user which can potentially mess with your entire system. Running npm as an unprivileged user has a risk of running that code with less privileges and it won't be able to mess with the entire system - just with your own files (which can be equally bad, depending on how you look at it).
我经常做和推荐的是将 Node 安装在您的主目录中,如果它是您自己的计算机,则不要在系统上全局安装.这样你就不必为 npm 甚至 make install 运行 sudo 或 su自己.
What I often do and recommend is to install Node in your home directory instead of globally on the system if it's your own computer. That way you don't have to run with sudo or su for npm or even for make install of Node itself.
我运行了很多版本的 Node,我有时使用不同的开关从源代码编译这些版本,我使用的约定是将 Node 安装在版本化目录中,或者在 /opt 中全局安装(但是然后你需要 sudo) 或本地在我的主目录中 ~/opt.
I run a lot of versions of Node that I compile from sources sometimes with different switches and the convention that I use is to install Node in versioned directories, either globally in /opt (but then you need sudo) or locally in my home directory in ~/opt.
我是这样做的:
wget https://nodejs.org/dist/v7.1.0/node-v7.1.0.tar.gz
tar xzvf node-v7.1.0.tar.gz
cd node-v7.1.0
./configure --prefix=$HOME/opt/node-v7.1.0
make && make test && make install
然后我创建一个符号链接 ~/opt/node 指向 ~/opt/node-v7.1.0 并且我有:
Then I create a symlink ~/opt/node pointing to ~/opt/node-v7.1.0 and I have:
PATH="$HOME/opt/node/bin:$PATH"
在我的 .profile 或 .bashrc 中.
这样我就不必以超级用户身份运行来安装 Node 或运行 npm.
That way I don't have to run as super user for installing Node or for running npm.
作为奖励,我可以通过更改符号链接快速切换我的默认 Node 版本,并且如果我更改 PATH 或使用完整路径运行 Node,我可以随时运行任何其他版本,例如 ~/opt/node-v7.0.0/bin/node.
As a bonus I can quickly switch my default Node version just by changing the symlink, and at any time I can run any other version if I change the PATH or run Node with a full path like ~/opt/node-v7.0.0/bin/node.
我在其他答案中更详细地解释了安装过程:
I explained that installation process in more detail in my other answers:
我不想在这里详述,因为这个答案是关于为什么以超级用户身份运行 npm 不是一个好主意 - 此安装过程只是一种不必这样做的解决方案以超级用户身份运行 npm.
I don't want to go into too much detail here since this answer is about why running npm as a superuser is not a good idea - this installation process is just one solution to not have to run npm as a superuser.
设置 npm 权限以避免以超级用户身份运行的其他选项在 在 npm 文档中修复 npm 权限(感谢 RyanZim 在评论中指出).
Other options of setting your npm permissions to avoid running as a superuser are described in Fixing npm permissions in npm docs (thanks to RyanZim for pointing it out in the comments).
这篇关于以超级用户身份运行 npm,这不是一个好主意?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
