Infer ownership of _all_ unpacked files (like cacache does for cache)

[isaacs]

As originally reported in zkat/pacote#175, pacote will leave user-owned files in the global (typically root-owned) install space. This is arguably much less bad than leaving root-owned files in ~, but still not ideal.

Proposal:

• abstract out the infer-owner.js util from cacache into its own module.
• Infer ownership of all files that pacote unpacks.
• Drop the uid or gid option entirely.

Thereafter, installing in a root-owned prefix will produce root-owned files. (Or fail with EACCES if the user doesn't have permission to write there.) Installing in a user-owned folder will produce user-owned files. No config juggling or baton-passing required. (Well, Pacote will have to infer the ownership and then pass the uid/gid configs to tar, but that seems pretty reasonable.)

[isaacs]

Cc: @godmar

I don't think I'm going to be able to get this in 6.10.2 (it's coming down to the wire to get a prerelease out in time for this week), but 6.10.3 could have this change. The priority is removing root-owned files in user-owned folders.

[godmar]

(Or fail with EACCES if the user doesn't have permission to write there.)

Given the number of users with limited OS knowledge that are using JavaScript these days, many on OSX, you should include an early fail-stop with a clear message when attempts are made to write to system folders. For instance, you could output "Since you are installing to a global folder, you need to use 'sudo ... repeat the command here'". The current practice which throws back an EACCES hidden among lots of other information is not good.

[isaacs]

Early detection/warning about EACCES is a good idea. Can you post it to npm.community in the ideas category?