Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] npm installs package with wrong user/group ownership #6173

Closed
2 tasks done
eocantu opened this issue Feb 15, 2023 · 0 comments · Fixed by npm/pacote#261
Closed
2 tasks done

[BUG] npm installs package with wrong user/group ownership #6173

eocantu opened this issue Feb 15, 2023 · 0 comments · Fixed by npm/pacote#261
Assignees
@nlf
Labels
Bug thing that needs fixing Priority 1 high priority issue Release 9.x work is associated with a specific npm 9 release

Comments

@eocantu
Copy link

eocantu commented Feb 15, 2023
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

When installing a certain package as root within a folder owned by root, the ownership of those files are not as expected.

Logs:

root@3a9aa418b816:/tmp/test-install# npm -v
9.4.2
root@3a9aa418b816:/tmp/test-install# npm init -y
Wrote to /tmp/test-install/package.json:

{
  "name": "test-install",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC"
}


root@3a9aa418b816:/tmp/test-install# npm install [email protected]

added 2 packages, and audited 3 packages in 287ms

found 0 vulnerabilities
root@3a9aa418b816:/tmp/test-install# ls -al node_modules/tmp/
total 32
drwxr-xr-x 3 root       root       4096 Feb 15 14:57 .
drwxr-xr-x 4 root       root       4096 Feb 15 14:57 ..
-rw-r--r-- 1 2119470584 2042662593 1082 Feb 15 14:57 LICENSE
-rw-r--r-- 1 2119470584 2042662593 9293 Feb 15 14:57 README.md
drwxr-xr-x 2 root       root       4096 Feb 15 14:57 lib
-rw-r--r-- 1 2119470584 2042662593  751 Feb 15 14:57 package.json

In the above output, some files aren't owned by root.

Expected Behavior

The installed files should be owned by root.

Steps To Reproduce

docker run --rm -i -t --entrypoint=bash node:18
mkdir -p /tmp/test-install
cd /tmp/test-install
npm init -y
npm install [email protected]
ls -al node_modules/tmp/

Files have a strange ownership.

# ls -al node_modules/tmp/
total 32
drwxr-xr-x 3 root       root       4096 Feb 15 14:53 .
drwxr-xr-x 4 root       root       4096 Feb 15 14:53 ..
-rw-r--r-- 1 2119470584 2042662593 1082 Feb 15 14:53 LICENSE
-rw-r--r-- 1 2119470584 2042662593 9293 Feb 15 14:53 README.md
drwxr-xr-x 2 root       root       4096 Feb 15 14:53 lib
-rw-r--r-- 1 2119470584 2042662593  751 Feb 15 14:53 package.json

Environment

  • npm: 9.4.2
  • Node.js: 18.14.0
  • OS Name: Debian 11 (bullseye)
  • System Model Name: Docker container
  • npm config:
; node bin location = /usr/local/bin/node
; node version = v18.14.0
; npm local prefix = /tmp/test-install
; npm version = 9.4.2
; cwd = /tmp/test-install
; HOME = /root
; Run `npm config ls -l` to show all defaults.
# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
@eocantu eocantu added Bug thing that needs fixing Needs Triage needs review for next steps Release 9.x work is associated with a specific npm 9 release labels Feb 15, 2023
@eocantu eocantu changed the title [BUG] npm installs package with with wrong user/group ownership [BUG] npm installs package with wrong user/group ownership Feb 15, 2023
@nlf nlf mentioned this issue Feb 16, 2023
Merged
@nlf nlf added Priority 1 high priority issue and removed Needs Triage needs review for next steps labels Feb 16, 2023
@nlf nlf self-assigned this Feb 16, 2023
@eocantu eocantu mentioned this issue Feb 16, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nlf nlf

Labels
Bug thing that needs fixing Priority 1 high priority issue Release 9.x work is associated with a specific npm 9 release
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: always ignore ownership from tar headers npm/pacote
2 participants
@nlf @eocantu