On Sun, Jan 4, 2015 at 9:51 AM, Christopher Rust <[email protected]> wrote: > Maybe it's common but I've never heard of anyone chowning /usr/local to > their main user.
Let me introduce you to Isaac Schlueter: http://foohack.com/2010/08/intro-to-npm/ And almost everyone I know. If you are setting up a production machine, probably best to install node as root, and if absolutely necessary to do any npm global installs (should be rare), run the global installs as root, or with sudo, and use --unsafe-perm so that scripts run with sufficient privs to succeed, and so that the ~/.npm/ cache is writeable. Yes, that means you need to trust the code you install globally as root... and yes, you ***better*** trust things you install globally as root on a production box! > It seems especially dangerous if there's applications in > there that expect to run under their own special user account. And do so using suid/sgid bits? Not likely. Technically possible, but that's not how systems generally run daemons as particular users. > Forcing everything to be owned by your user may prevent you from having to > type sudo but I'm not sure I see any other advantages. Some advantages: - a number of npm install scripts will fail when run with sudo, because they are run with privs of nobody, and can't write to the fs, the symptoms of which can be subtle and maddening to debug. I speak from sad experience, here. - avoiding your .npm cache from containing a mix of root and user-owned packages -- Job board: http://jobs.nodejs.org/ New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/CACmrRmTOa%2BhkfhboHJjn7eiWKSoJ4bpT%3DGkdUFci8Q-%3D6pCjFw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
