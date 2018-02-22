Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Botched npm Update Crashes Linux Systems, Forces Users to Reinstall (bleepingcomputer.com) 182

Catalin Cimpanu, reporting for BleepingComputer: A bug in npm (Node Package Manager), the most widely used JavaScript package manager, will change ownership of crucial Linux system folders, such as /etc, /usr, /boot. Changing ownership of these files either crashes the system, various local apps, or prevents the system from booting, according to reports from users who installed npm v5.7.0. -- the buggy npm update. Users who installed this update -- mostly developers and software engineers -- will likely have to reinstall their system from scratch or restore from a previous system image.

  • LOL (Score:5, Funny)

    by ArchieBunker ( 132337 ) on Thursday February 22, 2018 @03:53PM (#56171213) Homepage

    A shitscript package manager that does a chmod of /etc and /boot? This thing had to have been written by that Poettering asshole.

    • Re:LOL (Score:4, Funny)

      by RightwingNutjob ( 1302813 ) on Thursday February 22, 2018 @03:55PM (#56171227)
      I'm guessing 'ownership' is too racist, capitalist, and phalocentric to be a valid concept in filesystem design form much longer.

    • A shitscript package manager that does a chmod of /etc and /boot? This thing had to have been written by that Poettering asshole.

      More likely someone whose main development platform is Windows.

      • Re: (Score:1)

        by Anonymous Coward

        A shitscript package manager that does a chmod of /etc and /boot? This thing had to have been written by that Poettering asshole.

        More likely someone whose main development platform is Windows.

        Considering the amount of developers (and slashdot readers) that have very little grasp of operating system concepts like file permissions this is not a given.

    • The thing sucks so bad. I've had a few things that required npm... everyone pretends it's like apt or yum that grab everything you need if you install from a proper repo... npm has never gotten all the dependencies on a fresh clean host for any project I've installed.

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      How come a script can adjust permissions on critical system directories?

      It's always seemed a bit odd that Linux runs stuff like this as the superuser who can basically do anything. No granularity, no account just for installing JavaScript (!) packages... It's like Windows XP again.

  • Rescue mode (Score:5, Informative)

    by Camel Pilot ( 78781 ) on Thursday February 22, 2018 @03:54PM (#56171217) Homepage Journal

    If it is a file permission issue... boot from install disk into rescue mode... chmod and reboot. I don't get it.

    • Well, it does get complicated if you don't know what the hell exactly has changed. That said, the "reinstall when broken" mindset has been heavily imported by developers who only know one specific system.
      • Namely, Windows.

        • Re: Rescue mode (Score:1, Funny)

          by Anonymous Coward

          It's funny because windows almost always automatically recovers from problems these days. It's literally generations ahead of Linux unfortunately and osx.

          I guess it's because they had lots of mistakes to learn from

          • Re: (Score:1)

            by Anonymous Coward

            It's funny because windows almost always automatically recovers from problems these days. It's literally generations ahead of Linux unfortunately and osx.

            +5 Funny.

            I'm guessing you haven't run updates on Windows 10 before.

          • Haha, hahahahaha, haaaahahahahaha.

            In Windows you can indeed change boot file permissions and the system won't care a bit because everything ignores or is capable of ignoring it. That is wrong.

            Also, recovery is easy for Linux, you can chroot and apt reinstall everything or manually recover permissions. Windows has no package manager much less repair installed applications.

            • Re: (Score:2)

              by HiThere ( 15173 )

              Yes, but I've had problems before where different sub-directories had different permission requirements. Sometimes reinstalling is easier than tracking down every change, especially if you've got decent backups.

        • windows has better group permissions and multi user ones.

          • Re: (Score:1)

            by sjames ( 1099 )

            Not really. It's just that a lot of Unix people don't use/know about ACLs in Linux. try man setfacl.

            In general, you can achieve similar results using conventional unix permissions, but it takes a bit more work. You just create a group to represent a directory tree that needs to be useable by a subset of the users on the system, and then assign the relevant users to that group.

            • but how much software does it by ACL's? some from repo installs may just do it the old non ACL way.

              • Re: (Score:2)

                by sjames ( 1099 )

                Other than the system tools, why should it be up to the software to deal with it at all?

                I use ACLs in a few situations and take care of the apps that don't even know ACLs exist (all of them) using default ACLs on the relevant directories.

            • "Not really. It's just that a lot of Unix people don't use/know about ACLs in Linux. try man setfacl.

              In general, you can achieve similar results using conventional unix permissions, but it takes a bit more work.
              "

              In practice it really only comes up in a small subset of use cases.

              • Granted, but that's not necessarily a good argument. Standard Unix permissions provide a fairly limited set of abstractions. You have groups, users, and anyone; read, write, and execute; and a few other flags. It's concise, capable of expressing anything you like, and very efficient. One can say the same thing about assembly code. In both cases, having better abstractions is necessary, and the most important factor is the amount of time required by the various developers. And on that note, I must say that I

          • setfacl -m u:joe_dragon:rwx filename
            setfacl -m u:joe_nobody:rx filename

      • In general most developers don't really know any system. How do you think devops came to be.

        • Re: (Score:2)

          by sfcat ( 872532 )

          In general most developers don't really know any system. How do you think devops came to be.

          Just shut up and run this bash script to start the system, you lowly op. And quit trying to show that you know nothing about software architecture...

    • Re: (Score:1)

      by Anonymous Coward

      Not always easy if the change was recursive from /. With RHEL at least you can fix most of it with rpm, but it doesn't get everything and something is always missed.

      • Re: (Score:2)

        by plopez ( 54068 )

        And of course 3rd party and custom utilities installed there will not be recovered.

      • Not an issue though since you've got auditing enabled and could always check against your backup... you DO have a backup right?

    • Re:Rescue mode (Score:5, Informative)

      by RightwingNutjob ( 1302813 ) on Thursday February 22, 2018 @04:02PM (#56171267)
      Maybe. But the point is it's not acceptable to fuck up users' machines and make them go through all that work to fix it.

      More precisely, I don't know exactly what should be readable by all vs readable by certain groups vs readable by root only in /usr and especially in /etc. I could very well leave my machine's private keys readable by all by mistake. That's a lot of work to track down. So I'd need to reinstall to ensure that it's all correct and I'm not leaving any holes.

      I say again: It's not acceptable to make your users go through that work. And I also say again: automatically and implicitly trusting package maintainers to do the right thing is awful security policy and awful from a reliability standpoint. All updates should be tested before they are deployed. For home users this isn't practical and we have to rely on the distros to do this for us. Trust breaks down severely when fuckups like this go through and it lends credence to people who don't update their software automatically on the grounds mentioned above. This is bad when actual security fixes need to be deployed out, and it's all the more crucial for ALL software maintainers in OSS to make sure their shit works. Trust is the currency of OSS, and unlike dollars, you can't get some more by going to the bank, you have to earn it.
    • I'll bet there will be a script to fix this before dinner.

    • Re:Rescue mode (Score:4, Interesting)

      by Dracos ( 107777 ) on Thursday February 22, 2018 @04:37PM (#56171559)

      The people most likely to be using npm, and an apparently untested bleeding-edge version of it that gets pushed out automagically (there's a separate bug that pushed out 5.7.0 prematurely), deserve this rancid dog food. This is incontrovertible proof that the JS community lacks competence and leadership.

    • No,
      there are varied permissions in my etc folder
      not everything is owned by root:root
      do you know off the top of your head the permissions of all files and folders in /etc,
      good on you.

    • Re: (Score:2)

      by jrumney ( 197329 )
      If it has chmod -R a whole hierarchy to its own preferred universal permission (formerly 777 which noone noticed, but one of the devs read a blog about security and changed it to 600 for this release), then putting back the original permissions for all the thousands of files and directories is a major task. You basically need to install another system as a reference to copy the permissions from, so you might as well reinstall everything.
    • Yeah it's not like the bumblebee sudo rm -rf /usr bug. Now THERE was an update that needed a reinstall!

      https://github.com/MrMEEE/bumb... [github.com]
  • I remain of the opinion that none of those "language specifically package managers" have no place on Linux systems. They should use the operating systems package managers and tools.

    • Good luck with that. Having a packafing system for a language allows consistency across platforms. Otherwise you're at thw mercy of the platform team, or you have to maintain separate packages for platforms woth different release and maintenance cadences.

      • Re: (Score:1)

        by Anonymous Coward

        Just as the all powerful and all knowing neck-beards intended!
        If it can't be written in awk, sed, bash or perl, does it need to be written at all?

    • Re:I remain of the opinion... (Score:5, Informative)

      by BlueLightning ( 442320 ) on Thursday February 22, 2018 @04:05PM (#56171287) Homepage Journal

      I'd recommend watching this talk:

          https://www.youtube.com/watch?... [youtube.com]

      or if you prefer, the excellent-as-usual LWN summary:

          https://lwn.net/Articles/71231... [lwn.net]

      I don't like the language-specific package manager situation either, but the way these languages split things up does not lend itself well to the distro packaging model either unfortunately.

      • Re: (Score:3)

        by Junta ( 36770 )

        Eh, not really, except *maybe* the rust situation, but even that has been accommodated (by having the major version of a package embedded in the name of the package).

        First, the general answer that 'locks on to versions' is a recipe for security and bug nightmares. In that universe, no longer is it feasible for a foundational library to fix the problems they caused all on their own, becuase the apps statically linked. An openssl tweak means the world has to be rebuilt becuase everyone baked it in instead o

    • Re:I remain of the opinion... (Score:5, Insightful)

      by PPH ( 736903 ) on Thursday February 22, 2018 @04:09PM (#56171329)

      This.

      Or nothing other than the system package manager should run as root. Create a top level sub directory and a product specific user/group. And then let it run in it's own file space as its own user. There is very little on a *NIX system that HAS to be owned by root. As long as it's readable and executable by all, that's good enough.

      • Indeed. Install as Root is the killer of both *nix and Windows. What is the point of having a permission system if every program we run needs to have root on install.

        IOS taught us the right way. That we should be able to install third party software and not give it complete control of our systems. Well, almost...

      • The macOS package manager Homebrew (http://brew.sh [brew.sh]) has some flaws but one of my favorite features is that it operates entirely within its own tree at /usr/local/Homebrew. Installing the package manager in the first place requires root to gain permission to write in /usr/local but after that, all operations are done at user permission levels.

    • Re: (Score:2)

      by Dracos ( 107777 )

      Some npm packages are as little as 7 lines of code... they have more metadata than content. Do you really want all that (350,000 packages as of January 2017) cluttering up your OS-level package manager?

      • Re: (Score:2)

        by Junta ( 36770 )

        That's a problem in and of itself. There's no sane reason for such a small function to be a library all it's own, rather than coordinated in a larger, cohesive project.

        • Re: (Score:2)

          by Dracos ( 107777 )

          JS kiddies take DRY to previously unfathomable heights of zealotry, and can't abide including code they don't need. Their eternal quest for perfect code mass optimization explains a lot of the problems with how JS has evolved.

    • I remain of the opinion that none of those "language specifically package managers" have no place on Linux systems. They should use the operating systems package managers and tools.

      Language specific package managers have a place on Linux systems? !!true

    • Re: (Score:2)

      by Junta ( 36770 )

      Note that I agree with you, however people going after copr or ppa sorts of repositories have equal amounts of ability to screw over a system. The general impatience that leads to using the free0for-all package manager associated with a language will also lead to a free-for-all of yum/apt repositories.

      Of course, the quality of rollback solutions is higher with the distro manage, hence my agreeing with you, but the problem is still complex beyond just using the crappier package management.

  • node.js is malware (Score:1)

    by Anonymous Coward

    Another good example of why millenial hipsters have a lot to learn. While javascript outside a browser isn't the core problem here, it's a symptom of the problem. Another symptom of that same problems is a package manager that does idiotic stuff like this, and apparently needs more than userspace perms to run?

  • If one knows the correct permissions, you could just change them back (via grml or so).

    That said, this is bad. It underlines related issues of the apparently bad package management situation we're in. Why can I not install all my software through a good package manager? GNU Guix?

  • Fix Already Out (Score:1)

    by Anonymous Coward

    Fix [dragonflybsd.org] available now.

  • Ugh (Score:4, Informative)

    by i_ate_god ( 899684 ) on Thursday February 22, 2018 @04:53PM (#56171715)

    1. There is no reason to run a language-specific packager as root, whether npm, pip, composer, maven, etc. Either the package manager makes packages available to the user in $HOME, or there exists some kind of virtual environment tool. Use them.
    2. Why is NPM chowning anything?
    3. Read the thread, the attitudes there are unfortunate to say the least. A new version of NPM is provided when using NPM to upgrade itself without any arguments, and it grabs a "pre-release" version without warning? The version number is 5.7.0, not 5.7.0-beta or 5.7.0-rc1 or whatever. The NPM people violated semver. So there was no obvious way to know this is not an official release.

    • chown? (Score:2)

      by v1 ( 525388 )

      Users who installed this update -- mostly developers and software engineers -- will likely have to reinstall their system from scratch or restore from a previous system image.

      Maybe those "developers" and "engineers" need to learn how to fix their systems with the super-advanced CHOWN command, instead of reinstalling??

  • What is not mentioned in the summary is that the bug only shows up when using sudo.

    Sudo is a nightmare, both technically and psychologically (strangely, it's seems easier to run 'sudo npm' or 'sudo fuck_me' than running the same commands when logged in as root).

    It makes me laugh any time when I try to build some shitty program (inside a vm, of course), and more often than not, it tries to run 'sudo' from the install rule and trash over my system by writing and overwriting files inside /usr and /etc, and ign

    • Re: (Score:1)

      by Anonymous Coward

      Good luck. You're going to get downvoted to hell with that kind of talk :) The sudo / debian cancer is everywhere. This is the same class of people who think doing things like:

      curl http://foo.bar.com/install.sh | sh -

      Is completely acceptable. The same class of people who fail to understand the difference between /usr/bin and /bin, basic understanding of UNIX permissions, or group ownership. Wouldn't at all surprise me if "docker" is proposed as a solution.

      Fun link : https://github.com/nodejs/securi

      • Re: (Score:3)

        by Junta ( 36770 )

        It's really ubunutu that popularized sudo as 'the way'.

        To be fair, the order of the day prior to that was that people logged in as root to avoid the hassle, sudo is better than that.

        To those suggesting 'su is better' or 'ssh root@localhost' is better, any popularized approach would ultimately land in the same land of abuses.

        Of course unless you setup sudo :NOPASSWD, that's just stupid and not the way any of those things come by default.

    • My first command when doing admin stuff is usually "sudo -i" to get me a root user shell. Repeatedly typing "sudo" is a waste of 5 keystrokes.

  • NPM - Noiseless Penguin Murderer (Score:1)

    by Anonymous Coward

    ;-]

  • mtree(8) (Score:3)

    by MavEtJu ( 241979 ) <slashdot@NoSpAM.mavetju.org> on Thursday February 22, 2018 @07:52PM (#56173067) Homepage

    NAME
              mtree -- map a directory hierarchy

    SYNOPSIS
              mtree [-LPUcdeinqruxw] [-f spec] [-f spec] [-K keywords] [-k keywords]
                          [-p path] [-s seed] [-X exclude-list]

    DESCRIPTION
              The mtree utility compares the file hierarchy rooted in the current
              directory against a specification read from the standard input. Mes-
              sages are written to the standard output for any files whose character-
              istics do not match the specifications, or which are missing from
              either the file hierarchy or the specification.

    1. Why is root involved? NPM can be installed and used without requiring root.
    2. The issue comes in to play because NPM makes packages available as commands in the system by by PATH. Perhaps they should change this and provide instructions on how to modify PATH to include the bin directory node creates when users install packages globally. At the least, it would have been half-way responsible to craft an installer that does all the setup work for users, requiring root once to run the script that adds PATH vars

  • Always requiring the latest version of everything (Score:3)

    by jrumney ( 197329 ) on Thursday February 22, 2018 @11:10PM (#56173997)

    This is why I always reject anything that has requirements that I install the latest version of everything and use a language specific package manager to manage dependencies. Javascript packages seem the worst for the "bleeding edge" requirement, but Java, PHP, Python, Ruby and even Perl have long had issues with requiring the language specific package manager to be used.

    If my distro maintainers have not packaged it and tested to the level that the rest of the OS gets tested, then it has no place on my server.

  • This explains a lot. A couple weeks ago I was complaining about having to build a Javascript app written using Babel and NodeJS. The build was designed to automatically check for and download the latest version of all packages with NPM before building. After the inevitable swath of updates, things were so broken beyond repair that even re-installing all the packages didn't fix the build system. The only way I was able to get anything to build again was by resetting my VM image and reinstalling from scra

