How/why does npm recommend not running as root?

by

Actually, npm does not recommend not running as root. Well, not any more.

It has changed around the same time that you asked your question. This is how the README looked like on February 7, 2011: “Using sudo with npm is Very Not Recommended. Anyone can publish anything, and package installations can run arbitrary scripts.” It was explained later in more detail as “Option 4: HOLY COW NOT RECOMMENDED!! You can just use sudo all the time for everything, and ignore the incredibly obnoxious warnings telling you that you’re insane for doing this.”

See: https://github.com/isaacs/npm/tree/7288a137f3ea7fafc9d4e7d0001a8cd044d3a22e#readme

Now it is actually considered a recommended technique of installing npm:

Simple Install – To install npm with one command, do this:

curl http:/ /npmjs.org/install.sh | sudo sh

See: https://github.com/isaacs/npm/tree/99f804f43327c49ce045ae2c105995636c847145#readme

My advice would be to never do it because it means basically this:

  1. find out what the local DNS (or anyone else spoofing the DNS response or poisoning the DNS cache) says is the IP address of npmjs.org
  2. connect with insecure TCP with that IP (or with whoever says it’s his IP) on port 80
  3. trust the router that you think you should talk to (or anyone who gave you the DHCP response said you should talk to) to deliver packets to the right host
  4. possibly go through another layer of transparent caching proxy
  5. trust all other networks between you and the other end of the TCP connection
  6. don’t know for sure who you are connected with
  7. cross your fingers
  8. request install.sh script over insecure HTTP with no verification whatsoever
  9. and then run whatever was returned by whoever you’re talking to with maximum privileges on your machine without even checking what is it.

As you can see this is really, literally, with no exaggeration giving root shell to whatever you get after asking for a script from the Internet over an insecure connection with no verification whatsoever. There are at least 5 different things that can go wrong here, any of which can lead to an attacker taking total control over your machine:

  1. DHCP spoofing
  2. ARP spoofing
  3. DNS cache poisoning
  4. DNS response spoofing
  5. TCP session hijacking

Also note that using ‘sh’ instead of ‘sudo sh’ is usually not any less risky unless you run it as a different user who doesn’t have access to your private data, which is usually not the case.

You should use HTTPS connections if available to download such scripts so you could at least verify who you are talking to, and even then I wouldn’t run it without reading first. Unfortunately npmjs.org has a self-signed certificate so it doesn’t really help in this case.

Fortunately npm is available on GitHub that has a valid SSL certificate and from where you can download it using secure connection. See: github.com/isaacs/npm for details. But make sure that the npm itself doesn’t use insecure connections to download the files that it downloads – there should be an option in npm config.

Hope it helps. Good luck!

More Related Contents:

  1. how to specify local modules as npm package dependencies
  2. NPM run * doesn’t do anything
  3. NPM global install “cannot find module”
  4. How to include scripts located inside the node_modules folder?
  5. How can I make multiple projects share node_modules directory?
  6. Command to remove all npm modules globally
  7. nvm keeps “forgetting” node in new terminal session
  8. npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents
  9. npm install errors with Error: ENOENT, chmod
  10. npm install vs. update – what’s the difference?
  11. How can I change the version of npm using nvm?
  12. Angular 6 many Can’t resolve errors (crypto, fs, http, https, net, path, stream, tls, zlib)
  13. Install dependencies globally and locally using package.json
  14. npm install won’t install devDependencies
  15. Node package ( Grunt ) installed but not available
  16. Laravel 5.4 ‘cross-env’ Is Not Recognized as an Internal or External Command
  17. How to set npm credentials using `npm login` without reading from stdin?
  18. Install Node.js on Ubuntu
  19. `npm install` fails on node-gyp rebuild with `gyp: No Xcode or CLT version detected!`
  20. npx command not found
  21. When I run `npm install`, it returns with `ERR! code EINTEGRITY` (npm 5.3.0)
  22. Node JS NPM modules installed but command not recognized
  23. How to Reinstall Broken npm
  24. Npm install gives warnings, npm audit fix not working
  25. Difference between `npm start` & `node app.js`, when starting app?
  26. NPM cannot install dependencies – Attempt to unlock something which hasn’t been locked
  27. nodejs “npm ERR! code SELF_SIGNED_CERT_IN_CHAIN”
  28. npm install that requires node-gyp fails on Windows
  29. npm update check failed
  30. Cannot install bcrypt node.js module on Centos Server

Leave a Comment