npm cache config not sensible if $HOME unset #3064

Closed
jwhitley opened this Issue Jan 16, 2013 · 4 comments

Projects

None yet

2 participants

@jwhitley

Environment

OS: Ubuntu 12.04 LTS
node: v0.8.17
npm: v1.1.71

Repro steps

  1. Unset the HOME environment variable
  2. Run npm config ls -l
  3. Observe the value of cache.

Expected result

cache should be a sensible value based on the home directory of the current user. On Posix systems, the common idiom is to obtain the user's home directory as a value for home when $HOME is unset. (E.g. search for code calling getpwnam(3), also first para of bash tilde expansion ). The getpwnam call is already available node code via modules such as node-posix.

Actual result

The cache config is set as cache = "/tmp/.npm". This can be problematic; see Notes, below.

Notes

Environments such as Puppet 3.x will run with HOME unset. The release note at that link starting "LANG, LC_*, and HOME" has more info and brief rationale. This breaks npm in run contexts that don't set HOME (certain provisioning and non-interactive shell environments, see below), as all users' cache dirs collide on /tmp/.npm creating a lovely little conflicting permissions mess if more than one user ever installs a node module.

Proposed solution

osenv.home is the primary culprit. On master, this code has been inlined into the node codebase, but on 0.8.x it's still referenced via package.json as a release of isaacs/osenv. That method should instead look roughly like this:

memo('home', function () {
  return ( isWindows ? process.env.USERPROFILE
         : process.env.HOME || posix.getpwnam(process.getuid()).dir
         )
})

This would already be a pull request, except I'm unsure the best way to bring in getpwnam. It looks like node is cutting external dependencies in favor of bringing code into this repository. Advice?

@jwhitley

Moved from nodejs/node-v0.x-archive#4600; see prior discussion there. Salient point from @isaacs:

If there's no $HOME dir, then perhaps we can use something like $TMP + 'npm-' + uid (or pid), so it won't collide.

Agreed; I'd prefer uid so that the cache is doing at least some sharing. pid practically defeats the purpose, and could even become a performance problem during initial system provisioning and/or reloads. (e.g. successive npm install runs to bring a dev environment up-to-date).

@jwhitley

For posterity, I've found a solid external workaround for this issue, useful for folks who can install packages on the target system. Under Ubuntu/Debian, install pam-tmpdir via:

sudo apt-get install pam-tmpdir

Per the link above:

PAM tmpdir module sets $TMPDIR and $TMP for PAM sessions to /tmp/user/[uid].

This prevents various users (esp. root for global installs) from having permissions collisions on /tmp/.npm.

@isaacs isaacs added a commit to npm/npmconf that referenced this issue Jan 19, 2013
@isaacs isaacs Don't use a shared tmp dir in homeless envs
Addresses npm/npm#3064
c59589c
@timoxley
npm member

@jwhitley Based on the above commit, looks like this can perhaps be closed?

#4430

@jwhitley

@timoxley Looks good, thanks. I'll close this now.

@jwhitley jwhitley closed this Jan 7, 2014
@vvision vvision added a commit to vvision/npmconf that referenced this issue Sep 23, 2014
@isaacs isaacs Don't use a shared tmp dir in homeless envs
Addresses npm/npm#3064
7b8b800
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment