24

I am trying to install a npm module with: 

sudo npm install -g now

However, when I try that, I get a warning:

Warning! Please try installing Now CLI again with the --unsafe-perm option.
Example: npm i -g --unsafe-perm now

This unsafe permission worries me, and I want to make it clear whether I need to follow it to fix the warning, or I can ignore it?

The explanation at https://docs.npmjs.com/misc/config#unsafe-perm doesn't really tell much, for me. This commented from sam-github on Mar 30, 2016 explains much more clearly about the implication.

However, even after reading the two several times, I'm still unclear what --unsafe-perm is doing, and what's the implication. So,

  • Default: false if running as root
  • Set to true to suppress the UID/GID switching when running package scripts.

Is the above two "running" telling about the same thing or different things? If it the same thing, then is it the install time or run time?

All I want is to be able to

  • install it
  • and let anyone in my system able to use it, with the least security risk

so what should I do?

xpt
  • 20,363
  • 37
  • 127
  • 216

1 Answers1

11

As you rightly read from unsafe-perm

  • Default: false if running as root, true otherwise
  • Type: Boolean

Set to true to suppress the UID/GID switching when running package scripts. If set explicitly to false, then installing as a non-root user will fail.

To answer your first question:

All I want is to be able to install it, follow the steps below.

If you’re going to use sudo to install now, you need to specify the --unsafe-perm option to run npm as the root account. And you can as well do that directly from your terminal by running

sudo npm install --unsafe-perm=true -g now

To answer your next question:

All I want is to be able to let anyone in my system able to use it, with the least security risk

I will advice you run your installation of now on root mood so that any user can use it and won't have the permission of uninstalling it by any means without the root permission. So maybe you should disregard the regular practice

antzshrek
  • 9,276
  • 5
  • 26
  • 43
  • 3
    _"Do not install modules locally with sudo. Never. It's unnecessary"_, if I don't do that, with `npm install -g now`, I'll get: `npm WARN checkPermissions Missing write access to /usr/lib/node_modules npm ERR! path /usr/lib/node_modules npm ERR! code EACCES ` – xpt Mar 03 '18 at 15:24
  • As I said, it's just a warning. Funny enough, I also sometimes use `sudo`. But as I said in my answer, you can fix the `sudo` thing by running `sudo chown -R YOUR_USERNAME /usr/lib/node_modules` from your terminal – antzshrek Mar 03 '18 at 15:36
  • 1
    actually, I don't think all my questions are answered, especially, _let anyone in my system able to use it_, and also _with least security risk_ – xpt Mar 04 '18 at 14:53
  • 1
    Thanks antzshrek! "_If you’re going to use sudo to install now, you need to specify the --unsafe-perm option to run npm as the root account_". So why I have to do that? root+unsafe doesn't sound right to me. Why `sudo npm install` isn't good enough? what's the `unsafe ` brings that `sudo npm install` doesn't have? – xpt Mar 05 '18 at 21:14
  • you might want to read the issue you posted from https://github.com/strongloop/strong-pm/issues/334#issuecomment-203638235, it might help you understand `--unsafe`. – antzshrek Mar 07 '18 at 08:20
  • _"con: install scripts are run as root"_ and _"pro: without them, no install script can write to disk in its own module folder"_, isn't that reversed? – xpt Mar 07 '18 at 13:45