npm 如何/为什么建议不要以 root 身份运行? [英] How/why does npm recommend not running as root?

问题描述

首先，为什么 npm 建议它只能以非 root 用户身份运行?我非常不相信其他所有包管理器(apt、yum、gem、pacman)都要求 sudo.

First of all, why does npm suggest that it should only run as non-root? I highly disbelieve that every other package manager (apt, yum, gem, pacman) is wrong for requiring sudo.

其次，当我按照他们的建议(并以非 root 用户身份运行 npm install)时，它不会工作(因为非 root 用户没有权限/usr/local/lib).我如何遵循他们的建议?我不会 chown -R $USER/usr/local/lib，因为这对我来说似乎是一个非常糟糕的主意.

Second, when I follow their suggestion (and run npm install as non-root), it won't work (because non-root doesn't have permission to /usr/local/lib). How do I follow their suggestion? I am not going to chown -R $USER /usr/local/lib, because that seems like a very bad idea to me.

我通过 curl http://npmjs.org/install.sh 安装了 npm |sudo sh(自述文件中的说明).

I installed npm via curl http://npmjs.org/install.sh | sudo sh (the instruction in their README).

当我运行 sudo npm install mongoose 时，npm 告诉我不要以 root 身份运行它:

When I run sudo npm install mongoose, npm tells me not to run it as root:

npm ERR! sudon't!
npm ERR! sudon't! Running npm as root is not recommended!
npm ERR! sudon't! Seriously, don't do this!
npm ERR! sudon't!

但是当我在没有 sudo 的情况下运行 npm install mongoose 时，我得到以下信息:

But when I run npm install mongoose without sudo I get the following:

npm info it worked if it ends with ok
npm info using npm@0.2.17
npm info using node@v0.4.0-pre
npm info fetch http://registry.npmjs.org/mongoose/-/mongoose-1.0.7.tgz
npm info calculating sha1 /tmp/npm-1297199132405/1297199132406-0.7044695958029479/tmp.tgz
npm info shasum b3573930a22066fbf3ab745a79329d5eae75b8ae
npm ERR! Could not create /usr/local/lib/node/.npm/.cache/mongoose/1.0.7/package.tgz
npm ERR! Failed creating the tarball.
npm ERR! This is very rare. Perhaps the 'gzip' or 'tar' configs
npm ERR! are set improperly?
npm ERR!
npm ERR! couldn't pack /tmp/npm-1297199132405/1297199132406-0.7044695958029479/contents/package to /usr/local/lib/node/.npm/.cache/mongoose/1.0.7/package.tgz
npm ERR! Error installing mongoose@1.0.7
npm ERR! Error: EACCES, Permission denied '/usr/local/lib/node/.npm/.cache/mongoose'
npm ERR! There appear to be some permission problems
npm ERR! See the section on 'Permission Errors' at
npm ERR!   http://github.com/isaacs/npm#readme
npm ERR! This will get better in the future, I promise.
npm not ok

所以它告诉我我不应该使用 sudo，然后如果我按照他们的建议行不通.

So it tells me I shouldn't use sudo, and then doesn't work if I follow their suggestion.

这导致了我上面最初的问题.

Which leads to my initial questions above.

推荐答案

实际上，npm 不不建议不要以 root 身份运行.好吧，没有了.

Actually, npm does not recommend not running as root. Well, not any more.

它几乎在您提出问题的同时发生了变化.这是 2011 年 2 月 7 日 README 的样子:"非常不推荐将 sudo 与 npm 一起使用.任何人都可以发布任何内容，并且安装包可以运行任意脚本." 稍后将更详细地解释为选项 4:不推荐圣牛！！您可以一直使用 sudo 来处理所有事情，而忽略令人难以置信的令人讨厌的警告，这些警告告诉您这样做是疯了."

It has changed around the same time that you asked your question. This is how the README looked like on February 7, 2011: "Using sudo with npm is Very Not Recommended. Anyone can publish anything, and package installations can run arbitrary scripts." It was explained later in more detail as "Option 4: HOLY COW NOT RECOMMENDED!! You can just use sudo all the time for everything, and ignore the incredibly obnoxious warnings telling you that you're insane for doing this."

请参见:https://github.com/isaacs/npm/tree/7288a137f3ea7fafc9d4e7d0001a8cd044e自述

现在它实际上被认为是安装npm的推荐技术:

Now it is actually considered a recommended technique of installing npm:

简单安装 - 要使用一个命令安装 npm，请执行以下操作:

curl http://npmjs.org/install.sh |sudo sh

见:https://github.com/isaacs/npm/tree/99f804f43327c49ce045ae2c105995636c847145#readme" rel="noreferrer">https://github.com/isaacs/npm/tree/99f804f43327c49ce045ae2c105995636105c45c473733c105c105c495635自述

我的建议是永远不要这样做，因为这基本上意味着:

My advice would be to never do it because it means basically this:

1. 找出本地 DNS(或任何其他欺骗 DNS 响应或毒害 DNS 缓存的人)所说的是 npmjs.org 的 IP 地址
2. 在端口 80 上使用该 IP(或任何说这是他的 IP 的人)连接不安全的 TCP
3. 相信您认为应该与之交谈的路由器(或任何给您 DHCP 响应并表示您应该与之交谈的人)将数据包传送到正确的主机
4. 可能要经过另一层透明缓存代理
5. 信任您和 TCP 连接另一端之间的所有其他网络
6. 不确定您与谁有联系
7. 交叉手指
8. 通过不安全的 HTTP 请求 install.sh 脚本，无需任何验证
9. 然后在您的机器上以最大权限运行与您交谈的任何人返回的任何内容，甚至无需检查它是什么.

正如您所看到的，在通过与没有任何验证.这里至少有 5 种不同的情况可能会出错，其中任何一种都可能导致攻击者完全控制您的机器:

As you can see this is really, literally, with no exaggeration giving root shell to whatever you get after asking for a script from the Internet over an insecure connection with no verification whatsoever. There are at least 5 different things that can go wrong here, any of which can lead to an attacker taking total control over your machine:

1. DHCP 欺骗
2. ARP 欺骗
3. DNS 缓存中毒
4. DNS 响应欺骗
5. TCP 会话劫持

另请注意，使用sh"而不是sudo sh"的风险通常不会降低，除非您以无法访问您的私人数据的其他用户身份运行它，但通常情况并非如此.

Also note that using 'sh' instead of 'sudo sh' is usually not any less risky unless you run it as a different user who doesn't have access to your private data, which is usually not the case.

如果可以下载此类脚本，您应该使用 HTTPS 连接，这样您至少可以验证您在与谁交谈，即使那样我也不会在没有先阅读的情况下运行它.不幸的是，npmjs.org 有一个自签名证书，所以在这种情况下它并没有真正的帮助.

You should use HTTPS connections if available to download such scripts so you could at least verify who you are talking to, and even then I wouldn't run it without reading first. Unfortunately npmjs.org has a self-signed certificate so it doesn't really help in this case.

幸运的是，npm 在 GitHub 上可用，它具有有效的 SSL 证书，您可以从那里使用安全连接下载它.有关详细信息，请参阅:github.com/isaacs/npm.但是请确保 npm 本身不会使用不安全的连接来下载它下载的文件 - npm 配置中应该有一个选项.

Fortunately npm is available on GitHub that has a valid SSL certificate and from where you can download it using secure connection. See: github.com/isaacs/npm for details. But make sure that the npm itself doesn't use insecure connections to download the files that it downloads - there should be an option in npm config.

希望有帮助.祝你好运！

Hope it helps. Good luck!

这篇关于npm 如何/为什么建议不要以 root 身份运行?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！