Critical Linux filesystem permissions are being changed by latest version #19883
Comments
I experienced similar chaos after updating to 5.7.0 in a FreeBSD jail, I noticed recursive ownership of at least /usr/local/etc had been given to the current user:group during the update ( As a precaution against potentially catastrophic effects, I hope 5.7.0 will be taken down while a fix is implemented. |
This destroyed 3 production server after a single deploy! |
Same in a docker as root, some command like All worked fine with 5.6 :( |
I experienced similar issue. After npm v5.7.0 installed, Here is the commands that reproduces the situation: on ls -l /usr/bin
# you can see correct ownership
sudo su
curl --silent --location https://rpm.nodesource.com/setup_6.x | bash -
exit
sudo yum update
sudo yum install git
sudo yum install nodejs
git clone https://github.com/isaacs/npm.git
cd npm
git checkout v5.7.0
make
sudo make install
ls -l /usr/bin
# you can see broken ownership |
Why are you using a pre-release version in production @juggy? Just asking... |
Tag doesn't look like pre-release until you actually click on the releases and check the tag. If it's a pre-release tag, I suggest to not format the tag in a way it looks like it could not be a pre-release tag. |
I suggest to do no publish pre-release version announcement on the official blog: http://blog.npmjs.org/post/171139955345/v570 |
...which doesn't mention it's a pre-release in any way, shape or form. |
Pre-releases is
|
lol |
Sorry people, wasn’t meant to be rude 🙄 |
npm 5.7.0 on Mac not worked |
@towc welp, missed that 🆗 |
haha )) can someone prove that this update does destroy production servers ? |
Oh yes |
Mind staying on topic, rather than enforcing your opinion on us for an unrelated subject? Thanks! |
Interesting 🤔npm/lib/utils/correct-mkdir.js Line 31 in d3095ff
|
I think it would be preferable to only explicitly set permissions on folders that actually will be created by npm instead of just tinkering with the existing folders, especially when that code is accessing critical folders as the root user (through On another note, it is indeed confusing to just use |
🍿 |
consider reading this |
Playing a dangerous game by doing a minor stable release that's actually a |
Things like this are like a 🍆 in the face of npm and node. And I love it. |
For the people asking "why is 5.7.0 a prerelease released as stable", it's not:
It's tagged as next, so if you got it you either explicitly installed that version knowing it's marked as next, or you installed @next. Release channels exist for a reason. If you're running "next" on production environments you're asking for trouble. |
If what he's saying is correct, the pre-release appears to be pushed to the Arch main repositories, so if you're on Arch, beware! I've uninstalled npm and nodejs from my Arch box for the moment just to prevent any extra fun until this bug is fixed. EDIT: it appears I misread his steps to recreate. Updating npm from npm is what installed the 5.7.0 version. Still bad, but not related to Arch's repositories. |
@trodrigues might be still worth writing about this more explicitly on the blog post. Nobody coming to the site would know from reading it that it's a pre-release at the time. Edit: for clarity, I'm referring to this: http://blog.npmjs.org/post/171139955345/v570 |
I ran |
Generally in projects that follow semver I expect pre-release packages to have some string suffixed to the version number such as This is only listed as a |
I don't know where you see that, but it's not the case. |
Yup. It's really easy. Don't do stupid things like messing with directories and files that are not yours. |
This is quite correct. It's easy and understandable to miss, but if you have this in your deployment process somewhere:
be more specific about the versioning:
It's similar to using the |
Just got the latest Node Weekly, whose first item is:
Just so you know. |
1 similar comment
Just got the latest Node Weekly, whose first item is:
Just so you know. |
@k0nserv Still you can really mess up your dev machine. Things like this should never, ever happen. And they're happening a little too often to Node 😒 |
I'm not heavily invested in this issue, but if you want this thread to feature more rational discussion, tweeting about it is probably a bad idea. |
I almost hate to contribute to this, but a hopefully informative bit of information: This issue is made worse by the version tagging
because Because of this, you should not
so you can protect yourself from inadvertently getting these pre-release builds into our production environments by sticking to |
I'm not heavily invested in this issue, but if you want this thread to feature more rational discussion, tweeting about it is probably a bad idea. |
Maybe this helps to dismantle the js bloat ecosystem which is slowly making the internet unusable. |
Yes, run it in a CI environment set up with selinux or apparmor configured to deny npm any action outside of its own work area. If it runs and doesn't break, chances are it won't corrupt the system. Maybe itself, but at least not the system. |
1 similar comment
Yes, run it in a CI environment set up with selinux or apparmor configured to deny npm any action outside of its own work area. If it runs and doesn't break, chances are it won't corrupt the system. Maybe itself, but at least not the system. |
You should be running the same versions of NPM/Node.js in dev as production so this is a non problem. The current LTS is 8.9.4 it comes with NPM 5.6.0. Just stay on a recent LTS release and use the NPM versions bundled with it. |
It might be time for an expansion of the NPM team and a review of the current developers on it. |
Thank you to everyone who is ranting about us posting immature bullshit on this bug report. I now have a nice neat list of assholes I would never hire. How about we give the two person team more than 24 hours to run |
I'm not sure if you're joking, but that command only allows unpublishing versions published within 24 hours, and not older. |
That's okay, it was tagged 19 hours ago... |
Switch to correctMkdir as much as possible to ensure that permissions on directories are correct.
FYI: |
Looking back at my reaction this week, I realize that in the moment my responses were inappropriate and I have decided to delete the comment. Obviously, hiring decisions for any organization that I work for are based on wider evaluations of each individual’s background and qualifications. To anyone I may have offended, please accept my sincere apologies. |
I'm opening this issue because:
What's going wrong?
This issue has been happening ever since 5.7.0 was released a few hours ago. It seems to have completely broken my filesystem permissions and caused me to have to manually fix the permissions of critical files and folders. I believe that it is related to the commit 94227e1 which is traversing and running
chown
on the wrong, often critical, filesystem files and folders.By running
sudo npm
under a non-root user (root users do not have the same effect), filesystem permissions are being heavily modified. For example, if I runsudo npm --help
orsudo npm update -g
, both commands cause my filesystem to change ownership of directories such as/etc
,/usr
,/boot
, and other directories needed for running the system. It appears that the ownership is recursively changed to the user currently running npm.I found that a selection of directories in
/
were owned by a non-root user after runningsudo npm
and many binaries in/usr/bin
stopped working as their permissions were changed. People experiencing this bug will likely have to fully reinstall their system due to this update.npm update -g
asroot
:No output, all packages up to date. Likely still causes a
chown
to be run silently toroot:root
.drwxr-xr-x 10 root root 129 Feb 22 03:39 /usr
Then doing a
su jared
(a non-root user):sudo npm update -g
asjared
:Sometimes
EACCES
orEPERM
output, almost always corrupts the filesystem.drwxr-xr-x 10 jared jared 129 Feb 22 03:39 /usr
The
/usr
directory has been claimed bynpm
and ownership was set tojared:jared
as shown above. This same thing happens with other directories seemingly at random whilst being traversed.If you do not give it
sudo
permissions and just runnpm
alone, you can see it is attempting to traverse my/boot
ownership and crashes when it fails (if givensudo
, it will saychown
instead ofscandir
and output anEACCES
instead):It is very dangerous to run the latest version under
sudo
and I have a feeling it isn't just me getting these results.How can the CLI team reproduce the problem?
I am personally using Arch Linux with the latest
npm
package, installed as theroot
user via:pacman -Sy npm nodejs
npm install -g npm
npm install -g semver
Ensure that your npm is on version 5.7.0 then, as a non-root user, with
sudo
prefix:sudo npm --help
You will find that it fails, sometimes with no warnings and sometimes with an
EACCES
as it is unable tochown
the files in/boot
or read-only directories. No log files are generated on my system as it throws an output in console.This was not occurring on my system before the most recent update and using 5.6.0 resolves the issue entirely.
Supporting Information:
npm -v
prints:5.7.0
node -v
prints:9.5.0
npm config get registry
prints:https://registry.npmjs.org/
The text was updated successfully, but these errors were encountered: