[BUG] npm resets the SUID bit for a binary in /usr/local/bin

[bodqhrohro]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

I have a binary in /usr/local/bin/, which is not related to JavaScript. When I upgrade some package which has a global binary via npm, like typescript or npm itself, the SUID bit on that binary is reset, and I have to set it manually again.

Expected Behavior

npm shouldn't touch foreign files in /usr/local/bin/ at all.

Steps To Reproduce

sudo npm i -g npm

Environment

• OS: Debian GNU/Linux 12
• Node: 14.17.6
• npm: 7.6.3

[ljharb]

Can you try the latest version of npm? It's up to v7.21.1 atm.

[bodqhrohro]

Happens on 7.21.1 as well.

[theredcat]

Same problem on 8.1.2 (LTS) shipped with nodejs 16.13.1

Here is an example with the gosu binary, but it's true for all binaries in this directory.

Here is the node installation procedure used :

wget https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.xz && \
    tar --extract --verbose --strip-components=1 --directory /usr/local --file node-v${NODE_VERSION}-linux-x64.tar.xz && \
    rm node-v${NODE_VERSION}-linux-x64.tar.xz

Here is the example :

root@d58a2fd12f41:/# stat /usr/local/bin/gosu
  File: /usr/local/bin/gosu
  Size: 2294944         Blocks: 4488       IO Block: 4096   regular file
Device: 5bh/91d Inode: 15616158    Links: 1
Access: (6755/-rwsr-sr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2021-12-07 06:48:40.000000000 +0100
Modify: 2021-12-07 06:48:40.000000000 +0100
Change: 2022-01-04 16:56:51.968188674 +0100
 Birth: 2022-01-04 16:56:51.960188732 +0100
root@d58a2fd12f41:/# npm install -g pm2
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.

added 181 packages, and audited 182 packages in 8s

11 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
npm notice 
npm notice New minor version of npm available! 8.1.2 -> 8.3.0
npm notice Changelog: https://github.com/npm/cli/releases/tag/v8.3.0
npm notice Run npm install -g [email protected] to update!
npm notice 
root@d58a2fd12f41:/# stat /usr/local/bin/gosu
  File: /usr/local/bin/gosu
  Size: 2294944         Blocks: 4488       IO Block: 4096   regular file
Device: 5bh/91d Inode: 15616158    Links: 1
Access: (0755/-rwxr-xr-x)  Uid: ( 1001/ UNKNOWN)   Gid: ( 1001/ UNKNOWN)
Access: 2021-12-07 06:48:40.000000000 +0100
Modify: 2021-12-07 06:48:40.000000000 +0100
Change: 2022-01-04 17:51:19.544398768 +0100
 Birth: 2022-01-04 17:51:19.528398885 +0100

[theredcat]

Same issue as #4010

[jonathanpmartins]

I don't know why this issue ins't a priority. I just update from 8.4.0 to 8.5.4 (using node v14.19.0) and lost sudo privileges on my server.

sudo -i;
npm i -g npm;

got me to

sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

[theredcat]

@jonathanpmartins FYI I've created a security issue via Github security report process (NPM Cli security issues seems to be managed by Github team => https://github.com/npm/cli/security/policy) and I have no response since 11 days

[theredcat]

#4312

[jonathanpmartins]

After digging up for hours, and many many AMI restores later, I got to the real problem.
For some unknown reason /usr/bin had ubuntu:root ownership on my server. Changing the ownership back to root solved the problem.

Solution:

sudo chown root:root /usr/bin;
sudo npm i -g [email protected];
sudo -i;  #working

So the real problem is:

• When /usr/bin has a different ownership than root:root, npm changes the ownership of all files inside /usr/bin folder. Including the sudo file.

After this workaround I was able to update NPM without losing sudo privileges. Unfortunately, I wasn't able to recover my server that I lost sudo privileges on. This only works if you know about the problem and change the bin folder ownership before updating npm.

Today was the day of restoring backups!

[bodqhrohro]

Seems legit, my /usr/local/bin belongs to root:staff.

[theredcat]

@jonathanpmartins @bodqhrohro The real problem is NPM is touching permissions of binaries it doesn't installed. In the example above, gosu was owned by root:root and /usr/bin too

[wraithgar]

Closing as a duplicate of #4010