I'm opening this issue because:
What's going wrong?
This issue has been happening ever since 5.7.0 was released a few hours ago. It seems to have completely broken my filesystem permissions and caused me to have to manually fix the permissions of critical files and folders. I believe that it is related to the commit 94227e1 which is traversing and running chown on the wrong, often critical, filesystem files and folders.
By running sudo npm under a non-root user (root users do not have the same effect), filesystem permissions are being heavily modified. For example, if I run sudo npm --help or sudo npm update -g, both commands cause my filesystem to change ownership of directories such as /etc, /usr, /boot, and other directories needed for running the system. It appears that the ownership is recursively changed to the user currently running npm.
I found that a selection of directories in / were owned by a non-root user after running sudo npm and many binaries in /usr/bin stopped working as their permissions were changed. People experiencing this bug will likely have to fully reinstall their system due to this update.
npm update -g as root:
No output, all packages up to date. Likely still causes a chown to be run silently to root:root.
drwxr-xr-x 10 root root 129 Feb 22 03:39 /usr
Then doing a su jared (a non-root user):
sudo npm update -g as jared:
Sometimes EACCES or EPERM output, almost always corrupts the filesystem.
drwxr-xr-x 10 jared jared 129 Feb 22 03:39 /usr
The /usr directory has been claimed by npm and ownership was set to jared:jared as shown above. This same thing happens with other directories seemingly at random whilst being traversed.
If you do not give it sudo permissions and just run npm alone, you can see it is attempting to traverse my /boot ownership and crashes when it fails (if given sudo, it will say chown instead of scandir and output an EACCES instead):
Error: EPERM: operation not permitted, scandir '/boot/initramfs-linux-fallback.img'
TypeError: Cannot read property 'get' of undefined
...
Error: EACCES: operation not permitted, chown '/boot/initramfs-linux-fallback.img'
TypeError: Cannot read property 'get' of undefined
...
It is very dangerous to run the latest version under sudo and I have a feeling it isn't just me getting these results.
How can the CLI team reproduce the problem?
I am personally using Arch Linux with the latest npm package, installed as the root user via:
pacman -Sy npm nodejs
npm install -g npm
npm install -g semver
Ensure that your npm is on version 5.7.0 then, as a non-root user, with sudo prefix:
sudo npm --help
You will find that it fails, sometimes with no warnings and sometimes with an EACCES as it is unable to chown the files in /boot or read-only directories. No log files are generated on my system as it throws an output in console.
This was not occurring on my system before the most recent update and using 5.6.0 resolves the issue entirely.
Supporting Information:
npm -v prints: 5.7.0node -v prints: 9.5.0npm config get registry prints: https://registry.npmjs.org/- Windows, OS X/macOS, or Linux?: Arch Linux (latest base)
- Network issues:
- Container:
I'm opening this issue because:
What's going wrong?
This issue has been happening ever since 5.7.0 was released a few hours ago. It seems to have completely broken my filesystem permissions and caused me to have to manually fix the permissions of critical files and folders. I believe that it is related to the commit 94227e1 which is traversing and running
chownon the wrong, often critical, filesystem files and folders.By running
sudo npmunder a non-root user (root users do not have the same effect), filesystem permissions are being heavily modified. For example, if I runsudo npm --helporsudo npm update -g, both commands cause my filesystem to change ownership of directories such as/etc,/usr,/boot, and other directories needed for running the system. It appears that the ownership is recursively changed to the user currently running npm.I found that a selection of directories in
/were owned by a non-root user after runningsudo npmand many binaries in/usr/binstopped working as their permissions were changed. People experiencing this bug will likely have to fully reinstall their system due to this update.npm update -gasroot:No output, all packages up to date. Likely still causes a
chownto be run silently toroot:root.drwxr-xr-x 10 root root 129 Feb 22 03:39 /usrThen doing a
su jared(a non-root user):sudo npm update -gasjared:Sometimes
EACCESorEPERMoutput, almost always corrupts the filesystem.drwxr-xr-x 10 jared jared 129 Feb 22 03:39 /usrThe
/usrdirectory has been claimed bynpmand ownership was set tojared:jaredas shown above. This same thing happens with other directories seemingly at random whilst being traversed.If you do not give it
sudopermissions and just runnpmalone, you can see it is attempting to traverse my/bootownership and crashes when it fails (if givensudo, it will saychowninstead ofscandirand output anEACCESinstead):It is very dangerous to run the latest version under
sudoand I have a feeling it isn't just me getting these results.How can the CLI team reproduce the problem?
I am personally using Arch Linux with the latest
npmpackage, installed as therootuser via:pacman -Sy npm nodejsnpm install -g npmnpm install -g semverEnsure that your npm is on version 5.7.0 then, as a non-root user, with
sudoprefix:sudo npm --helpYou will find that it fails, sometimes with no warnings and sometimes with an
EACCESas it is unable tochownthe files in/bootor read-only directories. No log files are generated on my system as it throws an output in console.This was not occurring on my system before the most recent update and using 5.6.0 resolves the issue entirely.
Supporting Information:
npm -vprints:5.7.0node -vprints:9.5.0npm config get registryprints:https://registry.npmjs.org/