-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Install via Git fails when running with sudo (no access to SSH_AUTH_SOCK) #44
Comments
Actually, looking into this again this morning, i forgot one thing in my 'When': The SSH agent socket of course needs to be owned by If you're running (Also, in case it wasn't clear, this did work fine for several years; it only just broke now after an NPM update) |
So, if I'm reading this correctly, if you change the It's not too hard to detect the permission failure and tell the user to try that. Turning off the priv drop would be kind of hazardous, as for every one person affected by this issue, there are dozens who get stuff into a weird state with root-owned files in their cache directory. What we might be able to do is turn off the priv drop, but then do a |
Yes. In that case, Like i said, i'm not very familiar with NPM stuff, so i'm not sure what would be the best way for the tool to account for this situation, or if it should. But, speaking for myself, it would have been helpful if it had just printed a warning message like
|
Yeah, I like that. We can definitely detect and print some helpful guidance. I think pacote itself should probably ultimately still do what it's currently doing, since it's usually the right thing, and more reliable than trying to chmod after the checkout. |
What / Why
(Sorry for any bad assumptions i'm making here, i know very little about NPM or
pacote
)When
pacote
detects that it's running asroot
, but the directory it's trying to clone into is owned by another user, it runsgit
with that user's UID. This seems to work as far as making the permissions on the clone consistent, but, when using Git+SSH, the privilege-dropped OpenSSH process is then prevented from accessing the agent auth socket (because it's still owned byroot
). This causesgit
to fail.The obvious work-around (besides not running NPM as
root
in the first place, which is of course my long-term goal) is to pass-H
or-i
tosudo
, which should avoid the privilege drop in most cases. And, if reconciling the ownerships of the clone directory and auth socket is too irritating, maybe that should be the 'official' solution — i thinkpip
has a similar requirement.But one big difference between
pip
andpacote
is thatpip
actually tells you what's wrong and how to fix it — without spend a whole bunch of time troubleshooting it, thepacote
issue simply looks like the Git clone is failing for no reason at all.When
Always, in this configuration/scenario:
npm
6.14.4pacote
9.5.12npm
running asroot
root
(e.g. usingsudo
without-i
or-H
)Where
Using a private repository in this case, but i assume this can occur any time
pacote
deals with Git via SSHHow
Current Behavior
git
commands fail in the above scenario, with no good explanation as to whySteps to Reproduce
(The clone succeeds if i change
cwdOwner()
andmkOpts()
ingit.js
so that they don't try to de-escalate)Expected Behavior
imo,
pacote
should either:Who
Me!
References
The text was updated successfully, but these errors were encountered: