FS#63396 - [npm] [node-gyp] [semver] Non-root user and group owns package.json files

Attached to Project: Community Packages
Opened by Blair Bonnett (bcb) - Wednesday, 07 August 2019, 07:37 GMT
Last edited by Daniel M. Capella (polyzen) - Sunday, 09 July 2023, 21:34 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Felix Yan (felixonmars)
Daniel M. Capella (polyzen)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

With a freshly installed copy of npm 6.10.2-1, node-gyp 5.0.2-1 and semver 6.3.0-1 all the package.json files are owned by non-root users:

$ ls -l /usr/lib/node_modules/*/node_modules/*/package.json
-rw-r--r-- 1 1052 1002 1512 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/abbrev/package.json
-rw-r--r-- 1 1052 1002 3773 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/ajv/package.json
-rw-r--r-- 1 1052 1002 2343 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/ansi-regex/package.json
-rw-r--r-- 1 1052 1002 1578 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/aproba/package.json
-rw-r--r-- 1 1052 1002 1778 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/are-we-there-yet/package.json
-rw-r--r-- 1 1052 1002 1875 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/asn1/package.json
-rw-r--r-- 1 1052 1002 2192 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/assert-plus/package.json
...


For npm and node-gyp it is UID 1052 and GID 1002, while for semver it is UID 1001 and GID 1001:

$ pacman -Ql npm | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | cut -d' ' -f3-4 | sort -u
1052 1002
root root
$ pacman -Ql node-gyp | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | cut -d' ' -f3-4 | sort -u
1052 1002
root root
$ pacman -Ql semver | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | cut -d' ' -f3-4 | sort -u
1001 1001
root root


As far as I can tell it only affects the package.json files:

$ pacman -Ql npm | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | grep '1052 1002' | awk -F'/' '{print $NF}' | sort -u
package.json
$ pacman -Ql node-gyp | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | grep '1052 1002' | awk -F'/' '{print $NF}' | sort -u
package.json
$ pacman -Ql semver | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | grep '1001 1001' | awk -F'/' '{print $NF}' | sort -u
package.json
This task depends upon

Closed by  Daniel M. Capella (polyzen)
Sunday, 09 July 2023, 21:34 GMT
Reason for closing:  Fixed
Additional comments about closing:  npm 9.8.0-1
Comment by Martin Rys (C0rn3j) - Thursday, 14 October 2021, 22:24 GMT
  • Field changed: Percent Complete (100% → 0%)
npm gives ownership on all files to the build user.

There's a workaround listed here linking to this issue - https://wiki.archlinux.org/title/Node.js_package_guidelines#Using_npm


The build owner issue is NOT solved.
While this would usually be better sorted in a new issue, many many packages that applied this fix copied the wiki page exammple, thus a whole lot of packages, AUR or official repos, link here.

https://archlinux.org/packages/community/any/bower/

If a new issue were to be created it'd be good to at least leave a comment here and link to it, but it seems like that's impossible to do while this issue is closed.

Loading...