Community Packages

Please read this before reporting a bug:
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#63396 - [npm] [node-gyp] [semver] Non-root user and group owns package.json files

Attached to Project: Community Packages
Opened by Blair Bonnett (bcb) - Wednesday, 07 August 2019, 07:37 GMT
Last edited by Felix Yan (felixonmars) - Monday, 02 September 2019, 08:06 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Felix Yan (felixonmars)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

With a freshly installed copy of npm 6.10.2-1, node-gyp 5.0.2-1 and semver 6.3.0-1 all the package.json files are owned by non-root users:

$ ls -l /usr/lib/node_modules/*/node_modules/*/package.json
-rw-r--r-- 1 1052 1002 1512 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/abbrev/package.json
-rw-r--r-- 1 1052 1002 3773 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/ajv/package.json
-rw-r--r-- 1 1052 1002 2343 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/ansi-regex/package.json
-rw-r--r-- 1 1052 1002 1578 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/aproba/package.json
-rw-r--r-- 1 1052 1002 1778 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/are-we-there-yet/package.json
-rw-r--r-- 1 1052 1002 1875 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/asn1/package.json
-rw-r--r-- 1 1052 1002 2192 Jul 11 09:20 /usr/lib/node_modules/node-gyp/node_modules/assert-plus/package.json
...


For npm and node-gyp it is UID 1052 and GID 1002, while for semver it is UID 1001 and GID 1001:

$ pacman -Ql npm | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | cut -d' ' -f3-4 | sort -u
1052 1002
root root
$ pacman -Ql node-gyp | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | cut -d' ' -f3-4 | sort -u
1052 1002
root root
$ pacman -Ql semver | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | cut -d' ' -f3-4 | sort -u
1001 1001
root root


As far as I can tell it only affects the package.json files:

$ pacman -Ql npm | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | grep '1052 1002' | awk -F'/' '{print $NF}' | sort -u
package.json
$ pacman -Ql node-gyp | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | grep '1052 1002' | awk -F'/' '{print $NF}' | sort -u
package.json
$ pacman -Ql semver | cut -d' ' -f2- | grep -v '/$' | xargs ls -l | grep '1001 1001' | awk -F'/' '{print $NF}' | sort -u
package.json
This task depends upon

Closed by  Felix Yan (felixonmars)
Monday, 02 September 2019, 08:06 GMT
Reason for closing:  Fixed
Additional comments about closing:  in corresponding -2 revision.

Loading...