1

I'm using the following code to install node:

    cd /usr/local/src/
    wget http://nodejs.org/dist/v0.10.25/node-v0.10.25.tar.gz
    tar -xvf node-v0.10.25.tar.gz
    cd node-v0.10.25
    ./configure
    make
    make install
        # node.js links to make sudo work right
    ln -s /usr/local/bin/node /usr/bin/node
    ln -s /usr/local/lib/node /usr/lib/node
    ln -s /usr/local/bin/npm /usr/bin/npm
    ln -s /usr/local/bin/node-waf /usr/bin/node-waf

The script requires root privileges, and I'm wondering if that opens up the possibility of any security holes, or anything like that. I want to install node so that all user can use it, but I don't want it to have any root privileges unless the user has them and explicitly uses them (via sudo). Same with installed npm packages.

B T
  • 57,525
  • 34
  • 189
  • 207
  • 1
    FYI: `node-waf` hasn't been used since node v0.6.x – mscdex Sep 05 '14 at 00:33
  • I cobbled this together a while back from some other source. Dunno why node-waf is in there - very well might be completely unnecessary now. – B T Sep 05 '14 at 00:42

2 Answers2

3

It's fine, and the same as when you install stuff as root using a package manager.

The binaries are written to disk with root as the owner and sensible permissions, so that people cannot overwrite them. When a user executes the binaries they are run under his account, with his privileges on the system. (unless he runs with sudo)

For a binary to have elevated privileges when a normal user runs it without sudo it needs the SUID bit set, This needs to be set explicitly. /bin/ping is an example of that:

user@dek:/bin$ ls -l /bin/ping
-rwsr-xr-x 1 root root 44168 May  7 22:51 /bin/ping

As Ignacio points out you could run most of the script unprivileged, up until 'make install' but you would have to fix the binaries owners afterwards (chown root:root ) as they would be owned by your user account who compiled (created) them.

aidanok
  • 859
  • 1
  • 7
  • 11
  • 1
    But the routines in the `install` target should use `install(1)` to actually install them, which would cause them to be owned by root regardless of who built them. – Ignacio Vazquez-Abrams Sep 05 '14 at 01:25
1

If you've verified that the tarball you've downloaded is legitimate then there should be no problem installing as root, i.e. sudo make install. Building should always be done as non-root just in case though.

Ignacio Vazquez-Abrams
  • 776,304
  • 153
  • 1,341
  • 1,358
  • And if you install as root, there are no side effects where node has root privileges even when you don't run node as root/sudo? What about npm installing (especially globally) - its not a good idea to do an `npm install` with root privileges right? – B T Sep 05 '14 at 00:44
  • An inspection of the makefile and any associated scripts should show no calls to make the executable setuid or setgid, but I can't imagine that anyone would do that without being screamed at by people that know what they're doing. – Ignacio Vazquez-Abrams Sep 05 '14 at 01:24