New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

You are attempting to run Meteor as the "root" user #7959

Closed
rclai opened this Issue Oct 25, 2016 · 53 comments

Comments

Projects
None yet
@rclai

rclai commented Oct 25, 2016

Uh... Why is this error happening? I did not even upgrade any of my Meteor apps at all. Why would this shell flow control be getting hit when I haven't even updated to the new version? This must have come up as a result of you pushing out this latest build.

Anyway, running this:

meteor run --unsafe-perm --port 3002

Does not fix the issue, and it's because I'm running an old version of Meteor and all I get is this:

You have run Meteor as root. Your permissions in your app directory will be incorrect if you ever attempt to perform any Meteor tasks
as your non-root user. You probably didn't want this, but you can fix it by running the following from the root of your project:

sudo chown -Rh <username> .meteor/local

--unsafe-perm: unknown option.                
Usage: meteor run [target..] [options]

Searches upward from the current directory for the root directory of a
Meteor project, then runs that project in local development
mode. You can use the application by pointing your web browser at
localhost:3000. No internet connection is required.

Whenever you change any of the application's source files, the changes
are automatically detected and applied to the running application.

The application's database persists between runs. It's stored under
the .meteor directory in the root of the project.

If you have added a platform to your app with 'meteor add-platform', you can
pass one of the following targets as an argument to this command.

Targets:
  android          Run on the Android emulator.
  android-device   Run on a connected Android device.
  ios              Run on the iOS simulator.
  ios-device       Open Xcode with the iOS project for this app, where you can
                   run your app on a connected iOS device.

Options:
  --port, -p       Port to listen on (instead of the default 3000). Also
                   uses port N+1 and a port specified by --app-port.
                   Specify as --port=host:port to bind to a specific interface.
  --debug-port     Specify a port to enable server-side debugging. The
                   server will be paused at startup, waiting for incoming
                   connections from debugger clients on the specified port.
  --mobile-server  Location where mobile builds connect to the Meteor server.
                   Defaults to your local IP and the port that the Meteor
                   server binds to. Can include a URL scheme (for
                   example, --mobile-server=https://example.com:443).
  --production     Simulate production mode. Minify and bundle CSS and JS files.
  --raw-logs       Run without parsing logs from stdout and stderr.
  --settings       Set optional data for Meteor.settings on the server.
  --release        Specify the release of Meteor to use.
  --verbose        Print all output from builds logs.
  --no-lint        Don't run linters used by the app on every rebuild.
  --allow-incompatible-update   Allow packages in your project to be upgraded or
                   downgraded to versions that are potentially incompatible with
                   the current versions, if required to satisfy all package
                   version constraints.
  --test           [Experimental] Run Velocity tests using phantomjs and exit.

I know I shouldn't be running as root, but this just so happened to be the dev server I'm building in and don't have the flexibility to set up users on this server.

There seems to be some hijacking of the old Meteor versions in my server as a result of your update.

@rclai rclai closed this Oct 25, 2016

@rclai rclai reopened this Oct 25, 2016

@rclai

This comment has been minimized.

rclai commented Oct 25, 2016

Reinstalling did not fix the issue.

Meteor is still not recognizing the --unsafe-perm still for Meteor apps on older versions (I have not tested on newest versions).

@jpmelnik

This comment has been minimized.

jpmelnik commented Oct 25, 2016

+1 Same for me. I'm over Ubuntu 16.04 and I can't run "meteor update".

You are attempting to run Meteor as the "root" user. If you are developing, this is almost certainly not what you want to do and will likely result in incorrect file permissions. However, if you are
running this in a build process (CI, etc.) or you are absolutely sure you know what you are doing, add the --unsafe-perm flag to this command to proceed.

@benjamn

This comment has been minimized.

Member

benjamn commented Oct 25, 2016

Commented on the PR: #7821 (comment)

@benjamn benjamn added this to the Release 1.4.2.1 milestone Oct 25, 2016

@ismail-syed

This comment has been minimized.

ismail-syed commented Oct 26, 2016

Same here!
Any suggestions?

It was working fine earlier this morning. I just happened to notice this about an hour ago.

>sudo meteor

You are attempting to run Meteor as the "root" user. If you are developing, this is almost certainly *not* what you want to do and will likely result in incorrect file permissions. However, if you are running this in a build process (CI,
etc.) or you are absolutely sure you know what you are doing, add the `--unsafe-perm` flag to this command to proceed.

I usually have to run with sudo, if not I get the following.

>meteor
[[[[[ ~/Development/project ]]]]]

=> Started proxy.
=> Started MongoDB.

/Users/iSyed/.meteor/packages/ecmascript/.0.4.6.pxweny++os+web.browser+web.cordova/plugin.compile-ecmascript.os/npm/node_modules/meteor/promise/node_modules/meteor-promise/promise_server.js:165
      throw error;
            ^
Error: EACCES, open '/Users/iSyed/.meteorsession' 
@jpmelnik

This comment has been minimized.

jpmelnik commented Oct 26, 2016

  1. I removed meteor completly from my system.
  2. I did a backup for my project.
  3. I removed the project
  4. Install meteor again.
  5. I created new meteor project without root.
  6. I imported the project from the backup.
  7. Now, meteor / meteor run / meteor update works as expected.
@jpmelnik

This comment has been minimized.

jpmelnik commented Oct 26, 2016

Update #1:

The package momentjs:moment@2.15.2 stop the app execution.

Update #2

momentjs:moment, added version 2.8.4, works fine.

@jay-depot

This comment has been minimized.

jay-depot commented Oct 26, 2016

I think #7964 is the same issue. This is kind of a big deal, as it's breaking Docker deployments for anyone not on the bleeding edge version of Meteor.

@abernix

This comment has been minimized.

Member

abernix commented Oct 26, 2016

@isyed867 Your situation is one of the (many) problems that this --unsafe-perm argument is trying to solve. In development, on your machine, where you have multiple accounts, you should not run Meteor as root (i.e. with sudo) as it will break a variety of things. To fix your problem, you should be able to run sudo rm ~/.meteorsession and then run meteor login again without sudo.

@abernix

This comment has been minimized.

Member

abernix commented Oct 26, 2016

If it's not obvious by the error outputted: You can avoid this issue by not running Meteor as root which is not recommended and frequently causes problems (see above).

Some environments only have one (root) user by default and I'm aware that it's common practice to run everything inside Docker as the root user, but it has had its drawbacks and a common security recommendation is to NOT do this. See the USER setting in the Dockerfile reference and Dockerfile best practices. There is really very little reason to run meteor as root, even in Docker.

That being said, this is indeed an unintended bug affecting folks who run pre-Meteor 1.4.2 apps as root (even with the --unsafe-perm flag). For the explanation as to why, see my comment here: #7821 (comment).

Please try this suggested workaround for the time-being – instead of the usual Meteor install command, use these:

export METEOR_NO_RELEASE_CHECK=true # make sure this is set in your environment.
curl https://install.meteor.com/?release=1.4.1.3 | sh # You can use the exact version you're deploying here, or 1.4.1.3.

This will also likely speed up your Docker builds if your app is using an older version of Meteor than the current official release since it will avoid double-downloading of meteor-tool. But! Be absolutely sure that you update this version, or remove this workaround as you update Meteor versions.

I'll try to take a look at this today.

@rclai

This comment has been minimized.

rclai commented Oct 26, 2016

Thanks, @abernix's workaround is working.

abernix added a commit to abernix/meteor that referenced this issue Oct 26, 2016

Don't pass --unsafe-perm to a springboarded version of Meteor
By removing this argument, it prevents older versions of Meteor from objecting to its use.  Catching it at the highest level should be sufficient to discourage root usage as intended in meteor#7821

Fixes meteor#7959

abernix added a commit to abernix/meteor that referenced this issue Oct 26, 2016

Don't pass --unsafe-perm to a springboarded version of Meteor
By removing this argument, it prevents older versions of Meteor from objecting to its use.  Catching it at the highest level should be sufficient to discourage root usage as intended in meteor#7821

This commit force overwrites a previous commit which used `_.filter`, however `Array.prototype.filter` is better.

Fixes meteor#7959
@rclai

This comment has been minimized.

rclai commented Oct 26, 2016

Uh, @abernix, the error started happening again even after doing:

export METEOR_NO_RELEASE_CHECK=true # make sure this is set in your environment.
curl https://install.meteor.com/?release=1.4.1.3 | sh # You can use the exact version you're deploying here, or 1.4.1.3.

Did your recent commit cause that?

@rclai

This comment has been minimized.

rclai commented Oct 26, 2016

I had to re-run the workaround commands again to make it work. Weird.

@abernix

This comment has been minimized.

Member

abernix commented Oct 26, 2016

My recent commit is on a different branch as a proposed fix, so no.

If it just started happening again it's because the download just went on in the background – meaning either METEOR_NO_RELEASE_CHECK wasn't set when the process continued (you'll want to make sure it's set permanently in your Docker environment), or you're using Meteor before 1.4.1 which is when this variable became suported.

You can try also setting export METEOR_OFFLINE_CATALOG=true, but you should make sure that the METEOR_NO_RELEASE_CHECK variable is persisted during multiple runs of all Meteor commands.

tl;dr if METEOR_NO_RELEASE_CHECK gets unset, you will run into this problem again.

@rclai

This comment has been minimized.

rclai commented Oct 26, 2016

Ah okay.

@hibes

This comment has been minimized.

hibes commented Oct 26, 2016

This is a majorly breaking change for my team. --unsafe-perm doesn't work for us, meteor processes that argument correctly, but whatever function implements meteor run doesn't, so we get:

You have run Meteor as root. Your permissions in your app directory will be incorrect if you ever attempt to perform any Meteor
tasks as your non-root user. You probably didn't want this, but you can fix it by running the following from the root of your
project:

sudo chown -Rh .meteor/local

--unsafe-perm: unknown option.
Usage: meteor run [target..] [options]

Is it possible to revert to an older version of whatever meteor wrapper changed to break this?

@rclai

This comment has been minimized.

rclai commented Oct 26, 2016

Have you tried the above?

@hibes

This comment has been minimized.

hibes commented Oct 26, 2016

Thought we had, tried it again now, looks like it's working. Thanks, that workaround will do.

benjamn added a commit that referenced this issue Oct 26, 2016

Respect $METEOR_UNSAFE_PERM instead of --unsafe-perm.
When $METEOR_UNSAFE_PERM is set, its value is now propagated to any npm
commands via the $NPM_CONFIG_UNSAFE_PERM variable.

Helps with #7959.
Follow-up to #7821.

benjamn added a commit that referenced this issue Oct 27, 2016

Respect $METEOR_UNSAFE_PERM in addition to --unsafe-perm.
This is important for `meteor npm`, since we don't parse or pass through
Meteor-specific command-line arguments when running `meteor npm`.

When $METEOR_UNSAFE_PERM is set, its value is now propagated to any npm
commands via the $NPM_CONFIG_UNSAFE_PERM variable.

Helps with #7959.
Follow-up to #7821.
@aldo235

This comment has been minimized.

aldo235 commented Nov 9, 2016

some one have sollition for this case? i still have this issue

@benjamn

This comment has been minimized.

Member

benjamn commented Nov 9, 2016

Meteor 1.4.2.1 is out now! Please run meteor update and feel free to reopen this issue if the --allow-superuser option does not work for you. (Yes, --unsafe-perm should work too, but --allow-superuser is the recommended option now.)

@benjamn benjamn closed this Nov 9, 2016

@88plug

This comment has been minimized.

88plug commented Nov 9, 2016

Testing @benjamn -

@88plug

This comment has been minimized.

88plug commented Nov 9, 2016

Finally confirmed working with --allow-superuser on docker image node:latest ...

@aldo235

This comment has been minimized.

aldo235 commented Nov 10, 2016

some project work other project not work

`Even with METEOR_ALLOW_SUPERUSER or --allow-superuser, permissions in your app directory will be incorrect if you
ever attempt to perform any Meteor tasks as a normal user. If you need to fix your permissions, run the following
command from the root of your project:

sudo chown -Rh .meteor/local

You are attempting to run Meteor as the "root" user. If you are developing, this is almost certainly not what you
want to do and will likely result in incorrect file permissions. However, if you are running this in a build process
(CI, etc.) or you are absolutely sure you know what you are doing, add the --unsafe-perm flag to this command to
proceed.`

i use meteor --allow-superuser

@rsercano

This comment has been minimized.

rsercano commented Nov 10, 2016

--unsafe-perm option doesn't work anymore it stuck as below:

Even with METEOR_ALLOW_SUPERUSER or --allow-superuser, permissions in your app
directory will be incorrect if you ever attempt to perform any Meteor tasks as
a normal user. If you need to fix your permissions, run the following command
from the root of your project:

sudo chown -Rh .meteor/local

@abernix

This comment has been minimized.

Member

abernix commented Nov 10, 2016

@aldo235 @rsercano What is the output of the following command on the system that you're experiencing this on:

readlink $HOME/.meteor/meteor

And what are the contents of the .meteor/release file from the Meteor app that this is happening on?

@rsercano

This comment has been minimized.

rsercano commented Nov 10, 2016

METEOR@1.4.2 and for the command:

packages/meteor-tool/1.4.2_1/mt-os.linux.x86_64/meteor

As far as I know, you implemented it downgrade compatible, so I was expecting --unsafe-perm to work.

@abernix

This comment has been minimized.

Member

abernix commented Nov 10, 2016

@rsercano The message you are receiving is not an error – it is just a warning and Meteor should not be stopping at that point. It's very possible that it's sitting there with that message on your screen, but everything is still continuing and running in the background.

@rsercano

This comment has been minimized.

rsercano commented Nov 10, 2016

@abernix Indeed, that's what I was expecting but after a while (like 3-5 minute after) it gives below error:

You are attempting to run Meteor as the "root" user. If you are developing,
this is almost certainly *not* what you want to do and will likely result in
incorrect file permissions. However, if you are running this in a build process
(CI, etc.) or you are absolutely sure you know what you are doing, add the
`--unsafe-perm` flag to this command to proceed.

docker kills this container. But it has this flag already. Here's the docker file:
https://hub.docker.com/r/mongoclient/mongoclient/~/dockerfile/

@abernix

This comment has been minimized.

Member

abernix commented Nov 10, 2016

@rsercano Ok, I understand why it is happening, but the problem is still fixed by Meteor 1.4.2.1 and while you do have the latest tool installed, your app itself is still using the buggy version. You should upgrade your actual app to Meteor 1.4.2.1 and the problem should go away. 1.4.2.1 is also a very important bug-fix release for other reasons and I would recommend doing it as soon as possible. The upgrade should be painless, but you will need to make sure that you have the babel-runtime NPM installed.

Please see this blog post for more information.

@rsercano

This comment has been minimized.

rsercano commented Nov 11, 2016

@abernix thanks it seems to be fixed after upgrading 1.4.2.1

@faceyspacey

This comment has been minimized.

faceyspacey commented Nov 11, 2016

this shouldn't be happening if you haven't upgraded anything. I don't want to upgrade anything. I want to keep everything exactly the same. I did not opt into this. How did this even happen. I use sudo to use port 80 on my computer. This is messed up.

So that said, is there a way to like upgrade globally just the cli while not updating my app. I'm not sure about these details, and that's why what's going on here is very distressing. I'm not even confident a version-locked app and an upgraded CLI will be able to run my legacy app.

@abernix

This comment has been minimized.

Member

abernix commented Nov 11, 2016

@faceyspacey Not providing us with any information about what your situation is right now (app version, error output, etc.) is not likely to get you any help in resolving your problem and the answer as to "Why this happened" is higher up in this thread, if you care. Long story short, if you start your existing, older Meteor app with --allow-superuser you should be fine.

If this doesn't work, we'll be happy to help but the most important information to get to help you would be the output of meteor --version (not run with sudo) from INSIDE your Meteor app directory, and also from your home directory. I would also recommend you research how to use Mac OS X's pf command to forward port 80 to a non privileged port where Meteor is actually running (like port 3000) as opposed to binding Meteor directly to port 80, for a variety of very important reasons.

@faceyspacey

This comment has been minimized.

faceyspacey commented Nov 11, 2016

@abernix I literally just got it to work. It wasn't that bad. Upgrading to the latest version of meteor and using --allow-superuser worked just fine. My app stayed version-locked. Although, the first time, I got this message: Error: $MONGO_OPLOG_URL must be set to the 'local' database of a Mongo replica set but I tried again and it went away.

ps. You may want to somehow retitle this issue with the answer, cuz every legacy app developer will waste an hour reading the issue wall. @rclai

@abernix

This comment has been minimized.

Member

abernix commented Nov 11, 2016

@faceyspacey Glad you got it to work. Hopefully you understand the reason for it based on the message – it is actually a big deal and causes a lot of very hard to debug support problems which is why it is so forcefully required. If it works for you, keep on doing what you've been doing, but you'll have to run --allow-superuser to "agree" to the problems that it might cause. Again, if you can avoid it, please consider using port forwarding from port 80 to an unprivileged port.

@selasi

This comment has been minimized.

selasi commented Nov 16, 2016

After trying the suggestions above and had no success, this is what I did. I changed the content of .meteor/release to METEOR@1.4.2.1 and removed .meteor/local. Then I run meteor in the terminal and it worked like magic. Hopefully this works for you.

gui81 pushed a commit to ScientiaLLC/MeteorExpenseReportSystem that referenced this issue Nov 21, 2016

Lucas Johnson
Using a different meteor docker image.
meteor-tupperware has the following issue, which caused errors when building:
  meteor/meteor#7959
  chriswessels/meteor-tupperware#27

gui81 pushed a commit to ScientiaLLC/MeteorExpenseReportSystem that referenced this issue Nov 21, 2016

Lucas Johnson
Using a different meteor docker image.
meteor-tupperware has the following issue, which caused errors when building:
    meteor/meteor#7959
    chriswessels/meteor-tupperware#27

gui81 pushed a commit to ScientiaLLC/MeteorExpenseReportSystem that referenced this issue Nov 21, 2016

Lucas Johnson
Using a different meteor docker image.
meteor-tupperware has the following issue, which caused errors when building:
    meteor/meteor#7959
    chriswessels/meteor-tupperware#27

gui81 pushed a commit to ScientiaLLC/MeteorExpenseReportSystem that referenced this issue Nov 21, 2016

Lucas Johnson
Using a different meteor docker image.
meteor-tupperware has the following issue, which caused errors when building:
    meteor/meteor#7959
    chriswessels/meteor-tupperware#27

gui81 added a commit to gui81/scorekeeper that referenced this issue Nov 23, 2016

Updating Dockerfile to fix build.
Builds stopped working in docker due to this issue:
    meteor/meteor#7959
@openqubit

This comment has been minimized.

openqubit commented Dec 19, 2016

I used this on ubuntu 16 and it works

export METEOR_NO_RELEASE_CHECK=true # make sure this is set in your environment.
curl https://install.meteor.com/?release=1.4.1.1 | sh # You can use the exact version you're deploying here, or 1.4.1.1.

You can use meteor in root.Used meteor in root to build an apk on digitalocean 4GB droplet.

This is the location of the generated apk

~/your_meteor_app_directory/.meteor/local/cordova-build/platforms/android/build/outputs/apk

@abernix

This comment has been minimized.

Member

abernix commented Dec 20, 2016

Again, if you MUST run as privileged root user (which is discouraged as a best practice, even in Docker – by their own proclamation), you can pass the --allow-superuser flag to Meteor commands . Please make sure you're using Meteor 1.4.2.2 or higher to avoid the bugs found above in 1.4.2 and 1.4.2.1. If you're still having a problem with this, please open a new issue with your reproduction steps. Thanks!

@meteor meteor locked and limited conversation to collaborators Dec 20, 2016

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.