[BUG] npm i -g foo changes ownership of files under /usr/bin

[emi2k01]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

After running sudo npm i -g foo files under /usr/bin that were owned by root are now owned by the current user.

I ran sudo npm i -g typescript and it was installed correctly I think. Then I ran sudo npm i -g vscode-langservers-extracted and I got sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set.

I think the packages I installed are irrelevant because I still get the same errors after installing other packages globally with sudo.

This looks similar to #19883 but as far as I can see, only /usr/bin/ files are affected.

Expected Behavior

npm should not change ownership of files under /usr/bin

Steps To Reproduce

1. In this environment...
   Linux
   npm v8.1.3
2. With this config...
   Default
3. Run 'sudo npm i -g typescript' (the package doesn't matter)
4. See: files under /usr/bin changing ownership

In this video, you can see what happens. When I stop writing is because I'm going to another tty as root to execute chown root:root /usr/bin/sudo && chmod 4755 /usr/bin/sudo. The video also shows npm with version v8.0.0 but I updated to v8.1.3 and the same thing happens.

2021-11-07.14-39-43.mov

Environment

• npm: 8.1.3
• Node: 16.11.0
• OS: Linux 5.10.70-1-MANJARO
• platform: Desktop amd64
• npm config:

; node bin location = /usr/bin/node
; cwd = /home/emi2k01/Documents/facu/tecmul/proyectofinal
; HOME = /home/emi2k01
; Run `npm config ls -l` to show all defaults.

[tomgrossman]

hi, what is the timeline for this? it's critical for stations with end point protection, for example my Macbook with SentinelOne. I can't upgrade my global npm because of this.

[theredcat]

Same issue as #3705

[theredcat]

@nlf Could you look at this or pass the information ? It seem a pretty serious issue

[jonathanpmartins]

New minor version of npm available! 8.4.0 -> 8.5.4

Node: v14.19.0

I just lost sudo privileges on my server after running sudo npm install -g [email protected].

sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

This is bad!

[theredcat]

4312

[jonathanpmartins]

@emi2k01 Does this makes sense? #3705 (comment)

What is the ownership of you /usr/bin folder?

[emi2k01]

@emi2k01 Does this makes sense? #3705 (comment)

What is the ownership of you /usr/bin folder?

I have no idea, sorry. This was a long time ago and I switched to installing binaries under ~/.local/ since then

[wraithgar]

There is an rrfc open for this npm/rfcs#546

[michaelsproul]

I just encountered a variant of this issue that made me think my entire machine was compromised. npm tried to change the permissions of my local Firefox profile while uninstalling an unrelated global package:

$ sudo npm uninstall ganache-cli
npm ERR! code ENOENT
npm ERR! syscall lchown
npm ERR! path /home/redacted/.mozilla/firefox/xxxx.default-release/storage/default/https+++web.whatsapp.com/idb/9999999999wcaw.sqlite-wal
npm ERR! errno -2
npm ERR! enoent ENOENT: no such file or directory, lchown '/home/redacted/.mozilla/firefox/xxxx.default-release/storage/default/https+++web.whatsapp.com/idb/9999999999wcaw.sqlite-wal'
npm ERR! enoent This is related to npm not being able to find a file.
npm ERR! enoent

I'm running an old version of npm (7.5.2) and won't be upgrading, because I would prefer to never run npm on this machine ever again.

[ljharb]

@michaelsproul you should never, ever run npm with sudo unless it’s with -g. Also, leaving an unsupported buggy version of npm on your machine seems decidedly worse than either upgrading it, or uninstalling node and npm.

[michaelsproul]

leaving an unsupported buggy version of npm on your machine seems decidedly worse than either upgrading it, or uninstalling node and npm.

I'm deleting every trace of it right now.

[nlf]

npm@9 no longer attempts to modify file ownership at all, which should resolve this problem. please feel free to reopen this issue if you still experience this after updating to the latest npm@9.