更新时间:2023-09-11 22:23:46
实际上,npm 不不建议不要以 root 身份运行.好吧,没有了.
Actually, npm does not recommend not running as root. Well, not any more.
它几乎在您提出问题的同时发生了变化.这是 2011 年 2 月 7 日 README 的样子:"非常不推荐将 sudo 与 npm 一起使用.任何人都可以发布任何内容,并且安装包可以运行任意脚本." 稍后将更详细地解释为选项 4:不推荐圣牛!!您可以一直使用 sudo 来处理所有事情,而忽略令人难以置信的令人讨厌的警告,这些警告告诉您这样做是疯了."
It has changed around the same time that you asked your question. This is how the README looked like on February 7, 2011: "Using sudo with npm is Very Not Recommended. Anyone can publish anything, and package installations can run arbitrary scripts." It was explained later in more detail as "Option 4: HOLY COW NOT RECOMMENDED!! You can just use sudo all the time for everything, and ignore the incredibly obnoxious warnings telling you that you're insane for doing this."
请参见:https://github.com/isaacs/npm/tree/7288a137f3ea7fafc9d4e7d0001a8cd044e自述
现在它实际上被认为是安装npm的推荐技术:
Now it is actually considered a recommended technique of installing npm:
简单安装 - 要使用一个命令安装 npm,请执行以下操作:
curl http://npmjs.org/install.sh |sudo sh
我的建议是永远不要这样做,因为这基本上意味着:
My advice would be to never do it because it means basically this:
正如您所看到的,在通过与没有任何验证.这里至少有 5 种不同的情况可能会出错,其中任何一种都可能导致攻击者完全控制您的机器:
As you can see this is really, literally, with no exaggeration giving root shell to whatever you get after asking for a script from the Internet over an insecure connection with no verification whatsoever. There are at least 5 different things that can go wrong here, any of which can lead to an attacker taking total control over your machine:
另请注意,使用sh"而不是sudo sh"的风险通常不会降低,除非您以无法访问您的私人数据的其他用户身份运行它,但通常情况并非如此.
Also note that using 'sh' instead of 'sudo sh' is usually not any less risky unless you run it as a different user who doesn't have access to your private data, which is usually not the case.
如果可以下载此类脚本,您应该使用 HTTPS 连接,这样您至少可以验证您在与谁交谈,即使那样我也不会在没有先阅读的情况下运行它.不幸的是,npmjs.org 有一个自签名证书,所以在这种情况下它并没有真正的帮助.
You should use HTTPS connections if available to download such scripts so you could at least verify who you are talking to, and even then I wouldn't run it without reading first. Unfortunately npmjs.org has a self-signed certificate so it doesn't really help in this case.
幸运的是,npm 在 GitHub 上可用,它具有有效的 SSL 证书,您可以从那里使用安全连接下载它.有关详细信息,请参阅:github.com/isaacs/npm.但是请确保 npm 本身不会使用不安全的连接来下载它下载的文件 - npm 配置中应该有一个选项.
Fortunately npm is available on GitHub that has a valid SSL certificate and from where you can download it using secure connection. See: github.com/isaacs/npm for details. But make sure that the npm itself doesn't use insecure connections to download the files that it downloads - there should be an option in npm config.
希望有帮助.祝你好运!
Hope it helps. Good luck!