[Pkg-javascript-devel] Bug#960289: npm: 'Permission denied' error when running as root

[Nikolay Shaplov]

В письме от понедельник, 11 мая 2020 г. 17:51:27 MSK пользователь Jérémy Lal 
написал:

> > > > # cd /srv
> > > > # npm install matrix-appservice-irc --global
> > > 
> > > You are running an untrusted module as root.
> > > I strongly advise against that.
> > 
> > I am _installing_ untrusted module as root. Am I not?
> 
> npm modules can have postinstall scripts.
> Well-known modules might be trustable (they might not) but the module
> you're trying to install do have an issue (checksum mismatch) and might
> have been tampered with.

There can be a lot of reasons, why me as a user would like to _install_ module 
as a root:

- I have a good reason to trust this module, and will run it as a root too.
- I do not trust this module at all, and all Node.js stuff. So I put it into 
dedicated lxc-container, there is nothing but that module there. It can have 
all container as a root, I do not care
- I will install it as a root (so it can properly write to /usr/local/lib), 
and then run it as a user.
- ... I am sure anyone with good imagination can add there several more cases

So either running npm as root should be clearly forbidden, if it is kind of 
the policy for npm, or it should work without failures as a root too, letting 
user take care about his security.

Explaining failures as security measures is a bad idea.