A bug in npm (Node Package Manager), the most widely used JavaScript package manager, will change ownership of crucial Linux system folders, such as /etc, /usr, /boot.
Changing ownership of these files either crashes the system, various local apps, or prevents the system from booting, according to reports from users who installed npm v5.7.0. —the buggy npm update.
Most users will have to reinstall systems
Users who installed this update —mostly developers and software engineers— will likely have to reinstall their system from scratch or restore from a previous system image.
"This destroyed 3 production server after a single deploy!," one affected user said in a GitHub bug report today. Many others users have taken to Twitter to describe similar issues with dev and production servers, and warn other users not to update.
Dear god... bug in npm changes permissions on / file system destroys productions linux or unix boxes. “sudo npm” will chown “/“. https://t.co/94j5uRNTaf
— nixCraft: The Best Linux Blog In the Unixverse (@nixcraft) February 22, 2018
“if I run sudo npm --help …my filesystem [changes] ownership of directories such as /etc, /usr, /boot”
— Kenn White (@kennwhite) February 22, 2018
Going to be a long day for a lot of Ops folk today.
Good morning from npm land. :dumpster-fire: https://t.co/Jd3wTi4dou
— Kevin Jones (@vcsjones) February 22, 2018
Would hate to be a Nope.js developer today, sounds like latest NPM fucks your box up pretty bad.
— Bobby 'Tables (@info_dox) February 22, 2018
https://t.co/O8BQU4wvhm
Bug first reported a week ago
The bug was first reported a week ago but was left without an answer from npm developers. Users filed a new bug report after last night's release, and the npm team has released npm v5.7.1, a version that removes the buggy code.
FreeBSD users have also reported being impacted by the bug. Mac and Windows users didn't experience any issues. The problem did not affect every Linux user.
"By running sudo npm under a non-root user (root users do not have the same effect), filesystem permissions are being heavily modified," said Jared Tiala, the software developer who reported the issue to the npm team three hours after v5.7.0 went live.
Running the npm update commands as root doesn't result in npm trying to reassign root ownership to all files, so the issue appears to affect only npm update operations prefixed by a sudo command.
"For example, if I run sudo npm --help or sudo npm update -g, both commands cause my filesystem to change ownership of directories such as /etc, /usr, /boot, and other directories needed for running the system," Tiala said. "It appears that the ownership is recursively changed to the user currently running npm."
Npm is the de-facto package manager for all small, medium, and large-scale JavaScript project. Npm is packed with Node.js, and is also the largest package manager on the Internet, hosting libraries and plugins for Node.js, Ember, jQuery, Bootstrap, React, Angular, and many other JavaScript frameworks. You won't find a JavaScript developer that doesn't use nowadays.
Comments
GT500 - 1 month ago
Thanks for reminding me to make sure that garbage isn't installed on my server. I know a lot of people love Node.js/NPM, but I can't stand them (or software that requires them).
_LC_ - 1 month ago
Reinstallation of the whole system? This sounds a bit harsh to me.
Shouldn't they be able to create a few shell scripts for the most used distributions or does this already surpass the horizon of our dear Javascript developers (you can still boot via network/stick/CD and mount the affected partitions)?
dancrumb - 1 month ago
There is no earthly reason to run npm on a production server with root authority.
Sure, it shouldn't have code that tries to chown these directories (or chmod), buy anyone whose server got tanked by this only has themselves to blame.
campuscodi - 1 month ago
The npm docs tell people to use sudo, so most people think that's normal
https://docs.npmjs.com/all