Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

npm: 使用root 用户执行npm lifecycle 命令时报错 #5

Open
SamHwang1990 opened this issue Jan 12, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@SamHwang1990
Copy link
Owner

commented Jan 12, 2017

npm lifecycle 命令在执行前,会判断配置unsafe-perm为true 时才继续,否则会提前退出。

代码参考:

    // lib/utils/lifecycle.js
    unsafe = unsafe || npm.config.get('unsafe-perm')

    if ((wd.indexOf(npm.dir) !== 0 || _incorrectWorkingDirectory(wd, pkg)) &&
        !unsafe && pkg.scripts[stage]) {
      log.warn('lifecycle', logid(pkg, stage), 'cannot run in wd',
        '%s %s (wd=%s)', pkg._id, pkg.scripts[stage], wd
      )
      return cb()
    }

问题的分析参见:Npm install failed with “cannot run in wd”

配置的读取顺序大致参考:npm-config,即cli -> env -> npmrc -> default

default中关于unsafe-perm的初始化如下:

    // lib/config/defaults.js
    'unsafe-perm': process.platform === 'win32' ||
                     process.platform === 'cygwin' ||
                     !(process.getuid && process.setuid &&
                       process.getgid && process.setgid) ||
                     process.getuid() !== 0

针对unix 平台,使用root 用户执行npm 命令时得到的默认值都会是false

我的理解大致是避免以root 的身份去执行lifecycle 命令时可能造成的安全问题。

要避开该问题,只要覆盖default中的初始值即可,比如用cli参数或者npm config set unsafe-perm=true

如果站在项目角度避开该问题,可以采取的措施是在项目中创建.npmrc来覆盖default的配置:

// .npmrc
unsafe-perm = true

但可能需要明确带来的风险。

Liu233w added a commit to Liu233w/acm-statistics that referenced this issue Apr 25, 2018

chore(tools): 使用部署脚本安装的时候启动 --unsafe-perm 模式
这样的话,使用 root 权限运行 postinstall 脚本就不会报错了(安全原因)

see npm/npm#3497
SamHwang1990/blog#5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.