node.js npm 如何/为什么建议不要以 root 身份运行?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4938592/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How/why does npm recommend not running as root?
提问by Alexander Bird
In short...
简而言之...
First of all, why does npmsuggest that it should only run as non-root? I highly disbelieve that every other package manager (apt, yum, gem, pacman) is wrong for requiring sudo.
首先,为什么npm建议它只能以非 root 身份运行?我非常不相信其他所有包管理器(apt, yum, gem, pacman)都要求 sudo 是错误的。
Second, when I follow their suggestion (and run npm installas non-root), it won't work (because non-root doesn't have permission to /usr/local/lib). How do I follow their suggestion? I am not going to chown -R $USER /usr/local/lib, because that seems like a very bad idea to me.
其次,当我按照他们的建议(并npm install以非 root 用户身份运行)时,它不起作用(因为非 root 用户没有 /usr/local/lib 的权限)。我如何遵循他们的建议?我不会chown -R $USER /usr/local/lib,因为这对我来说似乎是一个非常糟糕的主意。
Full description...
详细描述...
I installed npmvia curl http://npmjs.org/install.sh | sudo sh(the instruction in their README).
我通过(他们的自述文件中的说明)安装了npmcurl http://npmjs.org/install.sh | sudo sh。
When I run sudo npm install mongoose, npm tells me not to run it as root:
当我运行时sudo npm install mongoose,npm 告诉我不要以 root 身份运行它:
npm ERR! sudon't!
npm ERR! sudon't! Running npm as root is not recommended!
npm ERR! sudon't! Seriously, don't do this!
npm ERR! sudon't!
But when I run npm install mongoosewithout sudo I get the following:
但是当我在npm install mongoose没有 sudo 的情况下运行时,我得到以下信息:
npm info it worked if it ends with ok
npm info using [email protected]
npm info using [email protected]
npm info fetch http://registry.npmjs.org/mongoose/-/mongoose-1.0.7.tgz
npm info calculating sha1 /tmp/npm-1297199132405/1297199132406-0.7044695958029479/tmp.tgz
npm info shasum b3573930a22066fbf3ab745a79329d5eae75b8ae
npm ERR! Could not create /usr/local/lib/node/.npm/.cache/mongoose/1.0.7/package.tgz
npm ERR! Failed creating the tarball.
npm ERR! This is very rare. Perhaps the 'gzip' or 'tar' configs
npm ERR! are set improperly?
npm ERR!
npm ERR! couldn't pack /tmp/npm-1297199132405/1297199132406-0.7044695958029479/contents/package to /usr/local/lib/node/.npm/.cache/mongoose/1.0.7/package.tgz
npm ERR! Error installing [email protected]
npm ERR! Error: EACCES, Permission denied '/usr/local/lib/node/.npm/.cache/mongoose'
npm ERR! There appear to be some permission problems
npm ERR! See the section on 'Permission Errors' at
npm ERR! http://github.com/isaacs/npm#readme
npm ERR! This will get better in the future, I promise.
npm not ok
So it tells me I shouldn't use sudo, and then doesn't work if I follow their suggestion.
所以它告诉我我不应该使用 sudo,然后如果我遵循他们的建议就行不通了。
Which leads to my initial questions above.
这导致了我上面的最初问题。
采纳答案by Zed
Actually, npm does notrecommend not running as root. Well, not any more.
其实,故宫也没有建议不要以root身份运行。嗯,没有了。
It has changed around the same time that you asked your question. This is how the README looked like on February 7, 2011: "Using sudo with npm is Very Not Recommended. Anyone can publish anything, and package installations can run arbitrary scripts."It was explained later in more detail as "Option 4: HOLY COW NOT RECOMMENDED!! You can just use sudo all the time for everything, and ignore the incredibly obnoxious warnings telling you that you're insane for doing this."
它在您提出问题的同时发生了变化。这是 2011 年 2 月 7 日 README 的样子:“非常不推荐将 sudo 与 npm 一起使用。任何人都可以发布任何内容,并且软件包安装可以运行任意脚本。” 后来更详细地解释为“选项 4:不推荐圣牛!!你可以一直使用 sudo 来处理所有事情,而忽略令人难以置信的令人讨厌的警告,告诉你你这样做是疯了。”
See: https://github.com/isaacs/npm/tree/7288a137f3ea7fafc9d4e7d0001a8cd044d3a22e#readme
参见:https: //github.com/isaacs/npm/tree/7288a137f3ea7fafc9d4e7d0001a8cd044d3a22e#readme
Now it is actually considered a recommendedtechnique of installing npm:
现在它实际上被认为是安装 npm的推荐技术:
Simple Install - To install npm with one command, do this:
curl http:/ /npmjs.org/install.sh | sudo sh
简单安装 - 要使用一个命令安装 npm,请执行以下操作:
curl http://npmjs.org/install.sh | 须藤
See: https://github.com/isaacs/npm/tree/99f804f43327c49ce045ae2c105995636c847145#readme
参见:https: //github.com/isaacs/npm/tree/99f804f43327c49ce045ae2c105995636c847145#readme
My advice would be to never do itbecause it means basically this:
我的建议是永远不要这样做,因为这基本上意味着:
- find out what the local DNS (or anyone else spoofing the DNS response or poisoning the DNS cache) says is the IP address of npmjs.org
- connect with insecure TCP with that IP (or with whoever says it's his IP) on port 80
- trust the router that you think you should talk to (or anyone who gave you the DHCP response said you should talk to) to deliver packets to the right host
- possibly go through another layer of transparent caching proxy
- trust all other networks between you and the other end of the TCP connection
- don't know for sure who you are connected with
- cross your fingers
- request install.sh script over insecure HTTP with no verification whatsoever
- and then run whatever was returned by whoever you're talking to with maximum privileges on your machine without even checking what is it.
- 找出本地 DNS(或任何其他欺骗 DNS 响应或中毒 DNS 缓存的人)所说的是 npmjs.org 的 IP 地址
- 在端口 80 上使用该 IP(或任何说这是他的 IP 的人)连接不安全的 TCP
- 信任您认为应该与之交谈的路由器(或任何给您 DHCP 响应的人说您应该与之交谈)将数据包传送到正确的主机
- 可能要经过另一层透明缓存代理
- 信任您和 TCP 连接另一端之间的所有其他网络
- 不确定你和谁有联系
- 交叉你的手指
- 通过不安全的 HTTP 请求 install.sh 脚本,无需任何验证
- 然后在您的机器上以最大权限运行与您交谈的任何人返回的任何内容,甚至无需检查它是什么。
As you can see this is really, literally, with no exaggeration giving root shellto whatever you getafter asking for a script from the Internet over an insecure connection with no verification whatsoever. There are at least 5 different things that can go wrong here, any of which can lead to an attacker taking total control over your machine:
正如你可以看到这是真的,从字面上看,没有夸张赋予root的shell到无论你在使用不安全的连接从互联网上寻求一个脚本后,没有任何验证。这里至少有 5 种不同的情况可能会出错,其中任何一种都可能导致攻击者完全控制您的机器:
- DHCP spoofing
- ARP spoofing
- DNS cache poisoning
- DNS response spoofing
- TCP session hiHymaning
- DHCP 欺骗
- ARP欺骗
- DNS缓存中毒
- DNS响应欺骗
- TCP会话劫持
Also note that using 'sh' instead of 'sudo sh' is usually not any less risky unless you run it as a different user who doesn't have access to your private data, which is usually not the case.
另请注意,使用“sh”而不是“sudo sh”的风险通常不会降低,除非您以无法访问您的私人数据的其他用户身份运行它,但通常情况并非如此。
You should use HTTPS connections if available to download such scripts so you could at least verify who you are talking to, and even then I wouldn't run it without reading first. Unfortunately npmjs.org has a self-signed certificate so it doesn't really help in this case.
如果可以下载此类脚本,您应该使用 HTTPS 连接,这样您至少可以验证您在与谁交谈,即使那样我也不会在没有先阅读的情况下运行它。不幸的是, npmjs.org 有一个自签名证书,所以在这种情况下它并没有真正的帮助。
Fortunately npm is available on GitHub that has a valid SSL certificate and from where you can download it using secure connection. See: github.com/isaacs/npm for details. But make sure that the npm itself doesn't use insecure connections to download the files that it downloads - there should be an option in npm config.
幸运的是,npm 在 GitHub 上可用,它具有有效的 SSL 证书,您可以从那里使用安全连接下载它。有关详细信息,请参阅:github.com/isaacs/npm。但是请确保 npm 本身不使用不安全的连接来下载它下载的文件 - npm config 中应该有一个选项。
Hope it helps. Good luck!
希望能帮助到你。祝你好运!
回答by Scott Stensland
The simple answer is web servers should never be run as root for well known security reasons, so this goes for npm commands as well.
简单的答案是,出于众所周知的安全原因,Web 服务器不应以 root 身份运行,因此这也适用于 npm 命令。
To start fresh, remove prior Node.jsand npm installs as well as these files/directories:
要重新开始,请删除之前的Node.js和 npm 安装以及这些文件/目录:
mv ~/.npmrc ~/.npmrc~prior
mv ~/.npm ~/.npm~prior
mv ~/tmp ~/tmp.~prior
mv ~/.npm-init.js ~/.npm-init.js~prior
Solution: Install Node.js (which comes with npm) as NON root (no sudo)
解决方案:将 Node.js(npm 自带)安装为非 root(无 sudo)
Download Source Code directly from https://nodejs.org/en/download/
直接从https://nodejs.org/en/download/下载源代码
Execute the below as yourself (Linux/OS X)
以自己的身份执行以下命令(Linux/OS X)
cd node-v8.1.2 # into expanded source dir
export NODE_PARENT=${HOME}/node-v8.1.2 # put this into your ~/.bashrc
Feel free to change above export to whatever location is appropriate
随意更改以上导出到任何合适的位置
./configure --prefix=${NODE_PARENT}
make -j4 # for dual core ... use -j8 for quad core CPU
make install
which puts the binaries for Node.js and npm as well as its modules repository into $NODE_PARENT, a $USER owned dir which then allows you to issue subsequent npm install xxx commands as yourself.
它将 Node.js 和 npm 的二进制文件及其模块存储库放入 $NODE_PARENT,这是一个 $USER 拥有的目录,然后您可以像自己一样发出后续的 npm install xxx 命令。
To reach the binaries for node and npm alter your PATH environment variables in your ~/.bashrc:
要访问 node 和 npm 的二进制文件,请更改 ~/.bashrc 中的 PATH 环境变量:
export PATH=${NODE_PARENT}/bin:${PATH}
export NODE_PATH=${NODE_PARENT}/lib/node_modules
Then to install packages into that directory (global), as opposed to the current directory (local) always pass in the -g flag (global):
然后将包安装到该目录(全局)中,而不是当前目录(本地)总是传入 -g 标志(全局):
npm install -g someModule
NOTE - at no time are you executing anything npm or node related as root / sudo.
注意 - 您绝不会以 root / sudo 身份执行任何 npm 或节点相关的操作。
回答by Assertnotnull
Another reason for notinstalling NPM packages under root is that it will cause you to face file access problem with packages that are using node-gyp (ex: node-sass) because it builds C++ libs and those are not in the local node_modulesfolder.
不在root 下安装 NPM 包的另一个原因是,它会导致您面临使用 node-gyp(例如:node-sass)的包的文件访问问题,因为它构建了 C++ 库,而这些库不在本地node_modules文件夹中。
