npm如何/为什么不建议以root身份运行? [英] How/why does npm recommend not running as root?

问题描述

简而言之...

首先，为什么 npm 建议仅以非root用户身份运行?我非常不相信其他所有软件包管理器(apt，yum，gem，pacman)对于要求sudo都是错误的.

第二，当我遵循他们的建议(并以非超级用户身份运行npm install)时，它将不起作用(因为非超级用户没有对/usr/local/lib的许可).我如何遵循他们的建议?我不会去chown -R $USER /usr/local/lib，因为这对我来说似乎是个坏主意.

完整说明...

我通过curl http://npmjs.org/install.sh | sudo sh(自述文件中的说明)安装了 npm .

当我运行sudo npm install mongoose时，npm告诉我不要以root身份运行它:

npm ERR! sudon't!
npm ERR! sudon't! Running npm as root is not recommended!
npm ERR! sudon't! Seriously, don't do this!
npm ERR! sudon't!

但是当我在没有sudo的情况下运行npm install mongoose时，我得到以下信息:

npm info it worked if it ends with ok
npm info using npm@0.2.17
npm info using node@v0.4.0-pre
npm info fetch http://registry.npmjs.org/mongoose/-/mongoose-1.0.7.tgz
npm info calculating sha1 /tmp/npm-1297199132405/1297199132406-0.7044695958029479/tmp.tgz
npm info shasum b3573930a22066fbf3ab745a79329d5eae75b8ae
npm ERR! Could not create /usr/local/lib/node/.npm/.cache/mongoose/1.0.7/package.tgz
npm ERR! Failed creating the tarball.
npm ERR! This is very rare. Perhaps the 'gzip' or 'tar' configs
npm ERR! are set improperly?
npm ERR!
npm ERR! couldn't pack /tmp/npm-1297199132405/1297199132406-0.7044695958029479/contents/package to /usr/local/lib/node/.npm/.cache/mongoose/1.0.7/package.tgz
npm ERR! Error installing mongoose@1.0.7
npm ERR! Error: EACCES, Permission denied '/usr/local/lib/node/.npm/.cache/mongoose'
npm ERR! There appear to be some permission problems
npm ERR! See the section on 'Permission Errors' at
npm ERR!   http://github.com/isaacs/npm#readme
npm ERR! This will get better in the future, I promise.
npm not ok

所以它告诉我我不应该使用sudo，如果我遵循他们的建议，那将不起作用.

以上是我最初提出的问题.

解决方案

实际上，npm确实不建议不以root用户身份运行.好吧，不再了.

它在您询问问题的同一时间发生了变化.这是自述文件在2011年2月7日的样子:不建议将sudo与npm一起使用.任何人都可以发布任何内容，并且程序包安装可以运行任意脚本." 稍后将在更多内容中进行解释. >

请参阅: https://github.com/isaacs/npm/tree/7288a137f3ea7fafc9d4e7d0001自述文件

现在，它实际上被认为是安装npm的推荐技术:

简单安装-要使用一个命令安装npm，请执行以下操作:

curl http://npmjs.org/install.sh |须藤sh

请参阅: https://github.com/isaacs/npm/tree/99f804f43327c49ce045ae2c105995636c847145#自述文件

我的建议是从不做，因为这基本上意味着:

1. 找出本地DNS(或其他欺骗DNS响应或破坏DNS缓存的人)说的是npmjs.org的IP地址.
2. 在端口80上用该IP(或任何说这是他的IP)与不安全的TCP连接
3. 信任您认为应该与之交谈的路由器(或给您您应该与之交谈的DHCP响应的任何人)，以将数据包传递给正确的主机
4. 可能会经过另一层透明缓存代理
5. 信任您与TCP连接另一端之间的所有其他网络
6. 不确定自己与谁联系
7. 手指交叉
8. 通过不安全的HTTP请求install.sh脚本，无需进行任何验证
9. 然后以最大权限在计算机上运行与您交谈的人返回的任何内容，甚至不检查它是什么.

正如您所见，从字面上看，这确实是毫不夸张的，在通过Internet上的不安全连接请求脚本后， root shell 赋予无论您得到什么 无需任何验证.这里至少有5种不同的地方可能出问题，其中任何一种都可能导致攻击者完全控制您的计算机:

1. DHCP欺骗
2. ARP欺骗
3. DNS缓存中毒
4. DNS响应欺骗
5. TCP会话劫持

还请注意，使用"sh"代替"sudo sh"通常不会降低风险，除非您以无法访问您的私人数据的其他用户身份运行它，通常情况并非如此.

如果可以下载此类脚本，则应该使用HTTPS连接，以便至少可以验证您正在与谁交谈，即使那样，我也必须先阅读才能运行它.不幸的是，npmjs.org具有自签名证书，因此在这种情况下并没有帮助.

幸运的是，npm在具有有效SSL证书的GitHub上可用，您可以从此处使用安全连接下载npm.有关详细信息，请参见:github.com/isaacs/npm.但是请确保npm本身不使用不安全的连接来下载它下载的文件-npm config中应该有一个选项.

希望它会有所帮助.祝你好运！

In short...

First of all, why does npm suggest that it should only run as non-root? I highly disbelieve that every other package manager (apt, yum, gem, pacman) is wrong for requiring sudo.

Second, when I follow their suggestion (and run npm install as non-root), it won't work (because non-root doesn't have permission to /usr/local/lib). How do I follow their suggestion? I am not going to chown -R $USER /usr/local/lib, because that seems like a very bad idea to me.

Full description...

I installed npm via curl http://npmjs.org/install.sh | sudo sh (the instruction in their README).

When I run sudo npm install mongoose, npm tells me not to run it as root:

npm ERR! sudon't!
npm ERR! sudon't! Running npm as root is not recommended!
npm ERR! sudon't! Seriously, don't do this!
npm ERR! sudon't!

But when I run npm install mongoose without sudo I get the following:

npm info it worked if it ends with ok
npm info using npm@0.2.17
npm info using node@v0.4.0-pre
npm info fetch http://registry.npmjs.org/mongoose/-/mongoose-1.0.7.tgz
npm info calculating sha1 /tmp/npm-1297199132405/1297199132406-0.7044695958029479/tmp.tgz
npm info shasum b3573930a22066fbf3ab745a79329d5eae75b8ae
npm ERR! Could not create /usr/local/lib/node/.npm/.cache/mongoose/1.0.7/package.tgz
npm ERR! Failed creating the tarball.
npm ERR! This is very rare. Perhaps the 'gzip' or 'tar' configs
npm ERR! are set improperly?
npm ERR!
npm ERR! couldn't pack /tmp/npm-1297199132405/1297199132406-0.7044695958029479/contents/package to /usr/local/lib/node/.npm/.cache/mongoose/1.0.7/package.tgz
npm ERR! Error installing mongoose@1.0.7
npm ERR! Error: EACCES, Permission denied '/usr/local/lib/node/.npm/.cache/mongoose'
npm ERR! There appear to be some permission problems
npm ERR! See the section on 'Permission Errors' at
npm ERR!   http://github.com/isaacs/npm#readme
npm ERR! This will get better in the future, I promise.
npm not ok

So it tells me I shouldn't use sudo, and then doesn't work if I follow their suggestion.

Which leads to my initial questions above.

解决方案

Actually, npm does not recommend not running as root. Well, not any more.

It has changed around the same time that you asked your question. This is how the README looked like on February 7, 2011: "Using sudo with npm is Very Not Recommended. Anyone can publish anything, and package installations can run arbitrary scripts." It was explained later in more detail as "Option 4: HOLY COW NOT RECOMMENDED!! You can just use sudo all the time for everything, and ignore the incredibly obnoxious warnings telling you that you're insane for doing this."

See: https://github.com/isaacs/npm/tree/7288a137f3ea7fafc9d4e7d0001a8cd044d3a22e#readme

Now it is actually considered a recommended technique of installing npm:

Simple Install - To install npm with one command, do this:

curl http:/ /npmjs.org/install.sh | sudo sh

See: https://github.com/isaacs/npm/tree/99f804f43327c49ce045ae2c105995636c847145#readme

My advice would be to never do it because it means basically this:

1. find out what the local DNS (or anyone else spoofing the DNS response or poisoning the DNS cache) says is the IP address of npmjs.org
2. connect with insecure TCP with that IP (or with whoever says it's his IP) on port 80
3. trust the router that you think you should talk to (or anyone who gave you the DHCP response said you should talk to) to deliver packets to the right host
4. possibly go through another layer of transparent caching proxy
5. trust all other networks between you and the other end of the TCP connection
6. don't know for sure who you are connected with
7. cross your fingers
8. request install.sh script over insecure HTTP with no verification whatsoever
9. and then run whatever was returned by whoever you're talking to with maximum privileges on your machine without even checking what is it.

As you can see this is really, literally, with no exaggeration giving root shell to whatever you get after asking for a script from the Internet over an insecure connection with no verification whatsoever. There are at least 5 different things that can go wrong here, any of which can lead to an attacker taking total control over your machine:

1. DHCP spoofing
2. ARP spoofing
3. DNS cache poisoning
4. DNS response spoofing
5. TCP session hijacking

Also note that using 'sh' instead of 'sudo sh' is usually not any less risky unless you run it as a different user who doesn't have access to your private data, which is usually not the case.

You should use HTTPS connections if available to download such scripts so you could at least verify who you are talking to, and even then I wouldn't run it without reading first. Unfortunately npmjs.org has a self-signed certificate so it doesn't really help in this case.

Fortunately npm is available on GitHub that has a valid SSL certificate and from where you can download it using secure connection. See: github.com/isaacs/npm for details. But make sure that the npm itself doesn't use insecure connections to download the files that it downloads - there should be an option in npm config.

Hope it helps. Good luck!

这篇关于npm如何/为什么不建议以root身份运行?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！