alias node for sudoers #43

Closed
mpotra opened this Issue Jul 1, 2011 · 33 comments

Comments

Projects
None yet
@mpotra

mpotra commented Jul 1, 2011

When sudoing node, 'command not found' is issued, because on most systems PATH is reset on sudo, for security reasons.
This makes 'sudo node' not work anymore.

Simply adding the following line at the end of the nvm.sh script, would fix it:

alias node='$NVM_BIN/node'
//possibly adding an alias for npm as well?

This assumes .bashrc for user contains these 3 lines:

. ~/.nvm/nvm.sh

enable aliases in sudo

alias sudo='sudo '

@creationix

This comment has been minimized.

Show comment
Hide comment
@creationix

creationix Jul 1, 2011

Owner

Very neat idea. I don't want to add it to my nvm repo since it's a little invasive, but it's not hard for someone who wants to customize their environment.

I usually just source the nvm.sh file as root after running "sudo su" or modify root's .bashrc. I want more than just node when I run sudo and this way I get everything in the $NVM_BIN folder.

Owner

creationix commented Jul 1, 2011

Very neat idea. I don't want to add it to my nvm repo since it's a little invasive, but it's not hard for someone who wants to customize their environment.

I usually just source the nvm.sh file as root after running "sudo su" or modify root's .bashrc. I want more than just node when I run sudo and this way I get everything in the $NVM_BIN folder.

@creationix creationix closed this Jul 1, 2011

@mpotra

This comment has been minimized.

Show comment
Hide comment
@mpotra

mpotra Jul 2, 2011

You are right, it might be a bit invasive and probably shouldn't be active in the release, but maybe just have it posted here or somewhere in future docs, so that people could find it easy.
Or maybe it might be better to have it in the script, but commented out, and people who need it, would just uncomment it - just a thought.

It took me a bit to figure this out, so probably this could save some time for others.

Modifying root's bashrc wasn't an option for my case, since we had a set-up with several users, each with its own node/nvm, and wanted to allow quick running through sudo (sudo node app_name), where necessary.
Including nvm.sh or the path/s in root's .bashrc would allow only for one single setup to run through sudo.

mpotra commented Jul 2, 2011

You are right, it might be a bit invasive and probably shouldn't be active in the release, but maybe just have it posted here or somewhere in future docs, so that people could find it easy.
Or maybe it might be better to have it in the script, but commented out, and people who need it, would just uncomment it - just a thought.

It took me a bit to figure this out, so probably this could save some time for others.

Modifying root's bashrc wasn't an option for my case, since we had a set-up with several users, each with its own node/nvm, and wanted to allow quick running through sudo (sudo node app_name), where necessary.
Including nvm.sh or the path/s in root's .bashrc would allow only for one single setup to run through sudo.

@euskode

This comment has been minimized.

Show comment
Hide comment
@euskode

euskode Mar 30, 2012

This is fantastic, I made the changes and it works like a charm.

What if I wanted to do something like sudo ENV1=val1 ENV2=val2 node server.js?

I am able to do that with other tools (I remember that forever never had an issue with it), however in my nvm-ized environment, I get sudo: node: command not found.

Any help would be much appreciated!

euskode commented Mar 30, 2012

This is fantastic, I made the changes and it works like a charm.

What if I wanted to do something like sudo ENV1=val1 ENV2=val2 node server.js?

I am able to do that with other tools (I remember that forever never had an issue with it), however in my nvm-ized environment, I get sudo: node: command not found.

Any help would be much appreciated!

@zakdances

This comment has been minimized.

Show comment
Hide comment
@zakdances

zakdances Sep 20, 2012

Does "nvm install" need sudo to run error-free?

Does "nvm install" need sudo to run error-free?

@creationix

This comment has been minimized.

Show comment
Hide comment
@creationix

creationix Sep 20, 2012

Owner

@zakdances no, nvm installs node into a local folder inside your git clone of the nvm repo. Unless your user doesn't have write access to your own clone, then it should work fine without sudo. In fact, using sudo can break things since it creates files as the root user.

Owner

creationix commented Sep 20, 2012

@zakdances no, nvm installs node into a local folder inside your git clone of the nvm repo. Unless your user doesn't have write access to your own clone, then it should work fine without sudo. In fact, using sudo can break things since it creates files as the root user.

@casio

This comment has been minimized.

Show comment
Hide comment
@casio

casio Sep 25, 2012

Hm, just stumbled upon this one when trying to install grunt globally.

Like @mpotra suggested, I had to also alias npm like so:
alias node='$NVM_BIN/node'
alias npm='$NVM_BIN/npm'

So that means that not a single node package intended for global availablity can be installed when using nvm by default, right? That should make quite some users having this scenario, I imagine.

How about inventing a special nvm mode so the aliases only get activated when users explicitly enter that mode?
When they leave the mode again, the aliases could get disabled.

casio commented Sep 25, 2012

Hm, just stumbled upon this one when trying to install grunt globally.

Like @mpotra suggested, I had to also alias npm like so:
alias node='$NVM_BIN/node'
alias npm='$NVM_BIN/npm'

So that means that not a single node package intended for global availablity can be installed when using nvm by default, right? That should make quite some users having this scenario, I imagine.

How about inventing a special nvm mode so the aliases only get activated when users explicitly enter that mode?
When they leave the mode again, the aliases could get disabled.

@jcollum-hcg

This comment has been minimized.

Show comment
Hide comment
@jcollum-hcg

jcollum-hcg Jul 19, 2013

This seems common enough that it should be added to the readme.

This seems common enough that it should be added to the readme.

@darethas

This comment has been minimized.

Show comment
Hide comment
@darethas

darethas Aug 12, 2013

Yes, needing sudo on *nix systtems is very common.

As a suggestion, you could try a solution similar to what ruby version manager does http://rvm.io/integration/sudo

Yes, needing sudo on *nix systtems is very common.

As a suggestion, you could try a solution similar to what ruby version manager does http://rvm.io/integration/sudo

@jcollum-hcg

This comment has been minimized.

Show comment
Hide comment
@jcollum-hcg

jcollum-hcg Aug 12, 2013

I was just told in the git mailing list that you should only very rarely use sudo. But I see it all the time. Too many opinions about it.

I was just told in the git mailing list that you should only very rarely use sudo. But I see it all the time. Too many opinions about it.

@tjwebb

This comment has been minimized.

Show comment
Hide comment
@tjwebb

tjwebb Dec 14, 2013

Using sudo to install node is perfectly reasonable and common. Running node itself as root is frowned upon. Unfortunately nvm makes this very difficult.

tjwebb commented Dec 14, 2013

Using sudo to install node is perfectly reasonable and common. Running node itself as root is frowned upon. Unfortunately nvm makes this very difficult.

@tjwebb

This comment has been minimized.

Show comment
Hide comment
@tjwebb

tjwebb Dec 14, 2013

If anyone is looking for an easy way to install nvm globally: https://github.com/xtuple/nvm

tjwebb commented Dec 14, 2013

If anyone is looking for an easy way to install nvm globally: https://github.com/xtuple/nvm

@koenpunt

This comment has been minimized.

Show comment
Hide comment
@koenpunt

koenpunt Dec 15, 2013

Contributor

There is no need to install node with sudo once you give the nvm directory the right permissions.
For example:
create a user group called nvm, add every user that need to use nvm to this group and change the permissions of your nvm dir to group writeable: chmod 2775 /usr/local/nvm (the first digit (2) is the setgid bit, explained here, which ensures the group for execution in this directory stays the same)

Contributor

koenpunt commented Dec 15, 2013

There is no need to install node with sudo once you give the nvm directory the right permissions.
For example:
create a user group called nvm, add every user that need to use nvm to this group and change the permissions of your nvm dir to group writeable: chmod 2775 /usr/local/nvm (the first digit (2) is the setgid bit, explained here, which ensures the group for execution in this directory stays the same)

@endorama

This comment has been minimized.

Show comment
Hide comment
@endorama

endorama Jan 21, 2014

+1 for nvmsudo solution proposed by @treehau5

+1 for nvmsudo solution proposed by @treehau5

@drkibitz

This comment has been minimized.

Show comment
Hide comment
@drkibitz

drkibitz Jan 21, 2014

Contributor

+1 for @koenpunt point on group access.

Contributor

drkibitz commented Jan 21, 2014

+1 for @koenpunt point on group access.

@wilmoore

This comment has been minimized.

Show comment
Hide comment
@wilmoore

wilmoore Mar 4, 2014

Using sudo to install node is perfectly reasonable

I'm not sure I agree with "reasonable"...more like "endemic".

and common.

With this, I agree.

But I see it all the time. Too many opinions about it.

I disagree with it's usage; but, to each their own.

wilmoore commented Mar 4, 2014

Using sudo to install node is perfectly reasonable

I'm not sure I agree with "reasonable"...more like "endemic".

and common.

With this, I agree.

But I see it all the time. Too many opinions about it.

I disagree with it's usage; but, to each their own.

@tjwebb

This comment has been minimized.

Show comment
Hide comment
@tjwebb

tjwebb Mar 4, 2014

My use case is to be able to easily upgrade my system-wide services, running on nodejs, in the case of patch/security releases, and for those to be compatible with Travis-CI, which uses nvm. How else besides using sudo would one install nvm into the global PATH for this purpose? Or is there a better tool for this?

I guess the real problem is the generally crappy package manager support that node.js enjoys from most OS vendors.

tjwebb commented Mar 4, 2014

My use case is to be able to easily upgrade my system-wide services, running on nodejs, in the case of patch/security releases, and for those to be compatible with Travis-CI, which uses nvm. How else besides using sudo would one install nvm into the global PATH for this purpose? Or is there a better tool for this?

I guess the real problem is the generally crappy package manager support that node.js enjoys from most OS vendors.

@wilmoore

This comment has been minimized.

Show comment
Hide comment
@wilmoore

wilmoore Mar 4, 2014

I guess the real problem is the generally crappy package manager support that node.js enjoys from most OS vendors.

Well, to be fair, every other language has to deal with those same crappy OS package managers. Actually, some are quite good, but the problem is maintenance. Sometimes you want 0.11.11 but good luck finding an OS packager maintainer that can (or will) keep up with that pace.

How else besides using sudo would one install nvm into the global PATH for this purpose? Or is there a better tool for this?

Maybe someone else can chime in...I don't have a good answer because I don't tend toward this particular workflow.

Today, I use docker (i.e. LXC container)...before docker existed, I would use VMs.

With docker, nvm isn't really needed. You just spin up a container with the exact version you care about.

I tend to use nvm on my dev machine, installed via homebrew and install nodes into my local user directory; where sudo is never needed.

wilmoore commented Mar 4, 2014

I guess the real problem is the generally crappy package manager support that node.js enjoys from most OS vendors.

Well, to be fair, every other language has to deal with those same crappy OS package managers. Actually, some are quite good, but the problem is maintenance. Sometimes you want 0.11.11 but good luck finding an OS packager maintainer that can (or will) keep up with that pace.

How else besides using sudo would one install nvm into the global PATH for this purpose? Or is there a better tool for this?

Maybe someone else can chime in...I don't have a good answer because I don't tend toward this particular workflow.

Today, I use docker (i.e. LXC container)...before docker existed, I would use VMs.

With docker, nvm isn't really needed. You just spin up a container with the exact version you care about.

I tend to use nvm on my dev machine, installed via homebrew and install nodes into my local user directory; where sudo is never needed.

@gagle

This comment has been minimized.

Show comment
Hide comment
@gagle

gagle Sep 12, 2015

Setting this in ~/.profile worked for me:

alias sudo='sudo env PATH=$PATH:$NVM_BIN'

It's part of the nvm installation in vagrant:

Vagrantfile

config.vm.provision :shell, path: "vagrant/nodejs.sh", privileged: false

vagrant/nodejs.sh

sudo su vagrant -c "wget -qO- https://raw.githubusercontent.com/creationix/nvm/v0.26.1/install.sh | bash"

echo "
source /home/vagrant/.nvm/nvm.sh
alias sudo='sudo env PATH=\$PATH:\$NVM_BIN'
" >> /home/vagrant/.profile

export NVM_DIR="/home/vagrant/.nvm"
[ -s "$NVM_DIR/nvm.sh" ] && . "$NVM_DIR/nvm.sh"

nvm install stable
nvm alias default stable

Now I can do sudo node|npm|pm2|whatever.

gagle commented Sep 12, 2015

Setting this in ~/.profile worked for me:

alias sudo='sudo env PATH=$PATH:$NVM_BIN'

It's part of the nvm installation in vagrant:

Vagrantfile

config.vm.provision :shell, path: "vagrant/nodejs.sh", privileged: false

vagrant/nodejs.sh

sudo su vagrant -c "wget -qO- https://raw.githubusercontent.com/creationix/nvm/v0.26.1/install.sh | bash"

echo "
source /home/vagrant/.nvm/nvm.sh
alias sudo='sudo env PATH=\$PATH:\$NVM_BIN'
" >> /home/vagrant/.profile

export NVM_DIR="/home/vagrant/.nvm"
[ -s "$NVM_DIR/nvm.sh" ] && . "$NVM_DIR/nvm.sh"

nvm install stable
nvm alias default stable

Now I can do sudo node|npm|pm2|whatever.

@JCMais

This comment has been minimized.

Show comment
Hide comment
@JCMais

JCMais Sep 18, 2015

Thank you @gagle, that was the best solution I found.

JCMais commented Sep 18, 2015

Thank you @gagle, that was the best solution I found.

@pedroxs

This comment has been minimized.

Show comment
Hide comment
@pedroxs

pedroxs Oct 22, 2015

I like the solution pointed at this stackoverflow given by Digital Ocean. It solves the sudo problem and makes it easy to update root versions when needed.

pedroxs commented Oct 22, 2015

I like the solution pointed at this stackoverflow given by Digital Ocean. It solves the sudo problem and makes it easy to update root versions when needed.

@ljharb

This comment has been minimized.

Show comment
Hide comment
@ljharb

ljharb Oct 22, 2015

Collaborator

You shouldn't need sudo for anything. Use authbind if you need to have node listen on privileged ports.

Collaborator

ljharb commented Oct 22, 2015

You shouldn't need sudo for anything. Use authbind if you need to have node listen on privileged ports.

@qwelias

This comment has been minimized.

Show comment
Hide comment
@qwelias

qwelias Jun 29, 2016

@gagle for some reason NVM_BIN is not set at a time when ~/.profile is being executed.
EDIT: fixed by moving

alias sudo='sudo env PATH=$PATH:$NVM_BIN'

to ~/.bashrc after nvm.sh execution

qwelias commented Jun 29, 2016

@gagle for some reason NVM_BIN is not set at a time when ~/.profile is being executed.
EDIT: fixed by moving

alias sudo='sudo env PATH=$PATH:$NVM_BIN'

to ~/.bashrc after nvm.sh execution

@mightypenguin

This comment has been minimized.

Show comment
Hide comment
@mightypenguin

mightypenguin Sep 29, 2016

I believe the entire point of nvm was to make switching/using node easy and avoid these kinds of shenanigans of manually editing certain files for certain users and walking counter-clockwise during a full moon.

Rightly or wrongly a lot of node tools/modules REQUIRE being installed globally.

Can we please have a global install option when installing nvm?
If you are concerned about flavors of OS's you can have a folder with specific modules for each OS/Flavor. Some may not be supported. That's fine, people can contribute modules.

I believe the entire point of nvm was to make switching/using node easy and avoid these kinds of shenanigans of manually editing certain files for certain users and walking counter-clockwise during a full moon.

Rightly or wrongly a lot of node tools/modules REQUIRE being installed globally.

Can we please have a global install option when installing nvm?
If you are concerned about flavors of OS's you can have a folder with specific modules for each OS/Flavor. Some may not be supported. That's fine, people can contribute modules.

@ljharb

This comment has been minimized.

Show comment
Hide comment
@ljharb

ljharb Sep 29, 2016

Collaborator

@mightypenguin nvm is not meant to be used across user accounts. Each user should have its own $NVM_DIR.

Collaborator

ljharb commented Sep 29, 2016

@mightypenguin nvm is not meant to be used across user accounts. Each user should have its own $NVM_DIR.

@mightypenguin

This comment has been minimized.

Show comment
Hide comment
@mightypenguin

mightypenguin Sep 29, 2016

So even if I wrote the code to make this cleanly possible there is no way you would consider pulling my changes?

So even if I wrote the code to make this cleanly possible there is no way you would consider pulling my changes?

@ljharb

This comment has been minimized.

Show comment
Hide comment
@ljharb

ljharb Sep 29, 2016

Collaborator

@mightypenguin i'd be happy to take a look at it, but I'm very skeptical it could be cleanly possible due to all the permissions issues within nvm-managed node dirs.

Collaborator

ljharb commented Sep 29, 2016

@mightypenguin i'd be happy to take a look at it, but I'm very skeptical it could be cleanly possible due to all the permissions issues within nvm-managed node dirs.

@ljharb

This comment has been minimized.

Show comment
Hide comment
@ljharb

ljharb Feb 9, 2017

Collaborator

@tetreault you should never use sudo for privileged ports; https://thomashunter.name/blog/using-authbind-with-node-js/ is a much safer approach.

Collaborator

ljharb commented Feb 9, 2017

@tetreault you should never use sudo for privileged ports; https://thomashunter.name/blog/using-authbind-with-node-js/ is a much safer approach.

@ljharb

This comment has been minimized.

Show comment
Hide comment
@ljharb

ljharb Feb 9, 2017

Collaborator

I believe npm run runs things as nobody, and it's unable to sudo (for safety).

Collaborator

ljharb commented Feb 9, 2017

I believe npm run runs things as nobody, and it's unable to sudo (for safety).

@Rafi993

This comment has been minimized.

Show comment
Hide comment
@Rafi993

Rafi993 Jun 4, 2017

on debian (or ubuntu) based sytem in addition to setting the alias as @mpotra said you might need to run
sudo ln -s "$(which node)" /usr/local/bin/node for npm to work in sudo mode

Rafi993 commented Jun 4, 2017

on debian (or ubuntu) based sytem in addition to setting the alias as @mpotra said you might need to run
sudo ln -s "$(which node)" /usr/local/bin/node for npm to work in sudo mode

@Spudz76

This comment has been minimized.

Show comment
Hide comment
@Spudz76

Spudz76 Oct 7, 2017

authbind is great and all, but what about things like raw-socket? I use net-ping which pulls in raw-socket which can only work as root. Would some libcap thing work to bypass the "haxor crafty packet injection" usermode block?

Spudz76 commented Oct 7, 2017

authbind is great and all, but what about things like raw-socket? I use net-ping which pulls in raw-socket which can only work as root. Would some libcap thing work to bypass the "haxor crafty packet injection" usermode block?

@ljharb

This comment has been minimized.

Show comment
Hide comment
@ljharb

ljharb Oct 8, 2017

Collaborator

"can only work as root" seems like a reason to not use a piece of software, tbh.

Collaborator

ljharb commented Oct 8, 2017

"can only work as root" seems like a reason to not use a piece of software, tbh.

@Spudz76

This comment has been minimized.

Show comment
Hide comment
@Spudz76

Spudz76 Oct 8, 2017

man 7 raw

So it appears that setting the CAP_NET_RAW for the node executable will open just a big enough hole for raw-socket to operate without root, maybe, but I"m skeptical (untested because I'm running it as root because I'm not paranoid).

sudo setcap cap_net_raw+eip $(eval readlink -f `which node`)

"Microsoft" is also a reason not to use a piece of software, but lots of poor souls use that, because they have no choice. I'd love to go fix everyone elses' software but sometimes you just need root to solve headaches and get it working NOW and in ALL CASES ensured.

And if it's just plain simpler to run as root and I accept the ramifications of doing so, it should be trivial. Maybe even a supported method to drop privs (like Apache httpd does?) so the whole process doesn't have to run as root (just the socket thread). And anyway this applet literally can't be exploited / never heard of a privilege escalation problem with Node.js / why be so paranoid when it is clearly unnecessary? Best practice is not the only practice and it's never best for every use case... such as on a VM where yippee you got root and can't do anything, gg hacker bruh.

Spudz76 commented Oct 8, 2017

man 7 raw

So it appears that setting the CAP_NET_RAW for the node executable will open just a big enough hole for raw-socket to operate without root, maybe, but I"m skeptical (untested because I'm running it as root because I'm not paranoid).

sudo setcap cap_net_raw+eip $(eval readlink -f `which node`)

"Microsoft" is also a reason not to use a piece of software, but lots of poor souls use that, because they have no choice. I'd love to go fix everyone elses' software but sometimes you just need root to solve headaches and get it working NOW and in ALL CASES ensured.

And if it's just plain simpler to run as root and I accept the ramifications of doing so, it should be trivial. Maybe even a supported method to drop privs (like Apache httpd does?) so the whole process doesn't have to run as root (just the socket thread). And anyway this applet literally can't be exploited / never heard of a privilege escalation problem with Node.js / why be so paranoid when it is clearly unnecessary? Best practice is not the only practice and it's never best for every use case... such as on a VM where yippee you got root and can't do anything, gg hacker bruh.

@ljharb

This comment has been minimized.

Show comment
Hide comment
@ljharb

ljharb Oct 9, 2017

Collaborator

At any rate, the way npm works is beyond the scope of this repo.

If you want nvm to work for a root user, then that root user needs to have its own installation of nvm.

Collaborator

ljharb commented Oct 9, 2017

At any rate, the way npm works is beyond the scope of this repo.

If you want nvm to work for a root user, then that root user needs to have its own installation of nvm.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment