Skip to content
This repository was archived by the owner on Aug 11, 2021. It is now read-only.

[BUG] npm falsely reports hard-coded ENOENT as postinstall error when root #47

Open
Open
[BUG] npm falsely reports hard-coded ENOENT as postinstall error when root#47
@coolaj86

Description

@coolaj86
coolaj86
opened on Apr 24, 2020

What / Why

npm reports ENOENT on npm install postinstall errors when running as root
We all know that you shouldn't run npm is root on your local system.

What we don't all know is that apparently new versions of npm change the uid to 1001 and if you're running in a virtualized single-user environment, this causes postinstall scripts to break due to permission errors.

How

Apparently there's some uid fudging and whatnot inside of npm.

Steps to Reproduce

  1. Spin up a single-user (root-only) virtual server.
  2. Install node v12.16.2 (or earlier, but after v10.x for certain) via nodejs.org tarball
    • curl -sS https://webinstall.dev/node@v12 | bash
  3. install a package that runs a pre, install, and/or post script
npm install --save @root/acme 

> @root/[email protected] postinstall /root/srv/try-greenlock/node_modules/@root/acme
> node scripts/postinstall

sh: 1: node: Permission denied
npm WARN [email protected] No description
npm WARN [email protected] No repository field.

npm ERR! code ELIFECYCLE
npm ERR! syscall spawn
npm ERR! file sh
npm ERR! errno ENOENT
npm ERR! @root/[email protected] postinstall: `node scripts/postinstall`
npm ERR! spawn ENOENT
npm ERR! 
npm ERR! Failed at the @root/[email protected] postinstall script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2020-04-24T23_10_59_381Z-debug.log

Expected Behavior

Either

  • return an error message sooner about being root and that not being allowed.
  • return the correct error message, not ENOENT
  • don't fudge the uids in the first place

References

https://github.com/npm/npm-lifecycle/blob/latest/lib/spawn.js#L45

If you console.log(options) when running as root you can clearly see that the uid is set to 1001.

You can also clearly see that ENOENT is hard-coded as a best-effort guess as to what the error is, masking the actual error which I believe is due to selecting a non-existing user.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions