Security issue with nvm path

[yusuphgammut]

Hi nvm collaborators!

I recently installed nvm in my MacBook and noticed something that brought my attention. When I inspect my $PATH variable I saw that the nvm bin folder is prepended to the current list like this:

> echo $PATH
/Users/androdriguez/.nvm/versions/node/v13.3.0/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin

I'm not a security expert but as far as I know this setup is opening the door for Sudo Piggyback attacks in which a malicious script can insert a malicious sudo program in the nvm bin folder without any problem and thus replace the original sudo program located in usr/bin in order to steal password information and other things.

I was wondering if this can be addressed by not prepending but appending the path to the end of the list like this (as Flutter does for example):

> echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Users/androdriguez/.nvm/versions/node/v13.3.0/bin

Or at least changing the owner and group privileges of the bin folder to root and wheel to ask for admin credentials anytime someone tries to write in the folder:

> ls -al /Users/myuser/.nvm/versions/node/v13.3.0
total 320
drwxr-xr-x  9 myuser  313246183    288 Dec 16 18:01 .
drwxr-xr-x  3 myuser  313246183     96 Dec 16 18:01 ..
-rw-r--r--  1 myuser  313246183  53571 Dec  3 09:46 CHANGELOG.md
-rw-r--r--  1 myuser  313246183  77130 Dec  3 09:46 LICENSE
-rw-r--r--  1 myuser  313246183  26337 Dec  3 09:46 README.md
drwxr-xr-x  5 root    wheel        160 Dec 26 18:57 bin
drwxr-xr-x  3 myuser  313246183     96 Dec  3 09:46 include
drwxr-xr-x  4 myuser  313246183    128 Dec  3 09:46 lib
drwxr-xr-x  5 myuser  313246183    160 Dec  3 09:46 share

Let me know your thoughts about this matter.
Best regards.

[ljharb]

I think your concern is quite overblown, for one - nowadays you're not supposed to install any global packages anyways, which addresses the risk. Additionally, one of the biggest benefits of using nvm is not having to use sudo to npm install -g.

The ability for nvm to shadow node and npm and other global package names is critical; your system's node must not take precedence over it, otherwise nvm can't work.

[yusuphgammut]

Thanks @ljharb. I understand that nvm folder should precede any other node or npm executables in $PATH in order to work properly. But the risk is still there anyway. I suppose this is a trade off between convenience vs security and in this particular case nvm chooses the first to provide an easier developer experience by avoiding sudo calls.

[ljharb]

I believe that this is also the same choice nearly every PATH-modifying tool makes (other package/version managers, primarily)

[yusuphgammut]

Yes, the first time time I learned about this issue was reading about Hombrew here. That's why I started using MacPorts instead. However I can't afford not using nvm because it eases a lot my developer experience. In my case I just changed bin folder privileges to root and wheel to give me peace of mind.