On Mon, Jan 5, 2015 at 2:57 PM, Christopher Rust <[email protected]> wrote: > Thanks for the information. > >> - a number of npm install scripts will fail when run with sudo, >> because they are run with privs of nobody, and can't write to the fs, >> the symptoms of which can be subtle and maddening to debug. I speak >> from sad experience, here. > > Can you comment anymore on this? > > What does privileges of nobody mean? Why couldn't a command run as root > write to the fs?
Nobody is a user who is not you, or root, and has not much privilege. Certainly not enough to write into a /usr/local/... that is owned by root. Remember, you used sudo because even your own user could not write into /usr/local? Well, neither can the user "nobody", by design. A simple npm install script, say "node-gyp rebuild || 0", is run as the user nobody if npm was originally run as root with sudo. So it can not write anything to the fs. This is because any package.json could put into its install script "rm -rf /", which would suck for someone who installed it if they ran npm install as root using sudo. So, dropping privs to nobody solves this. Of course, it doesn't help you at all if they put "rm -rf $HOME"... but I digress. The price of priv dropping is high, it means that package scripts don't work for any module that is globally installed. Or ***any*** of the dependencies of such a module. Which could be any module, pretty much. So, don't use install-time package scripts. But, other people might use them. And maybe you won't know... until you finally track down a mysterious bug, and realize that its because the install or post-install script didn't actually work. Cheers, Sam -- Job board: http://jobs.nodejs.org/ New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/CACmrRmTBVD0AK52TGPKDEdhNvOpCRcAR0DvaUoHj9uwsp6-oUg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
