Skip to content Paweł Grzybek

Fix privileges and never again use sudo with npm

Nah! Don’t do it! I published this article years ago. It was a solution provided by npm team by the time of writing this article. Use nvm or brew instead please.

We have a few options to install Node and npm. Using Homebrew is the safest and recommended way to do it. Another safety option is using Node Version Manager. Next method is using installer available on official node website. This way is the most obvious and the easiest one, but not necessarily the safest one. Fortunately there is a very easy fix.

If you used installer, whenever you want to install a package globally you need to use a super user power to do it. For example:

sudo npm install -g grunt-cli

On a first glance it’s nothing wrong with that code, yeah? Even on official Grunt documentation it says:

You may need to use sudo (for OS X, *nix, BSD etc) or run your command shell as Administrator (for Windows) to do this.

Actually it is a very dangerous thing. Correctly pointed out by my friend recently, I started investigate the problem and I found an amazing article by Gastón I. SilvaDo not sudo npm.

You should not run applications with root privileges if its not necessary. Node and npm can do their work just perfectly fine without admin powers. If you are running a server with root privileges and it gets hacked through a vulnerability in your code, the attacker will have total control over your machine.

We don’t need troubles. We need to change privileges on few folders on our machine. The procedure is very simple and it’s very clearly explained on one of the videos on the official npm documentation website. Open Terminal and type:

sudo chown -R $(whoami) /usr/local/lib/node_modules
sudo chown -R $(whoami) /usr/local/bin
sudo chown -R $(whoami) /usr/local/share

These few lines of code are very straight forward. It changes the owner of listed directories from root to your user name. Flag -R stands for ‘recursively’ which means it changes ownership on particular directory and all directories and files inside it.

Enjoy using npm without ‘sudo’ now.

Comments

  • S
    ShuMo

    Can one undo a sudo npm install?

    👆 you can use Markdown here

    Your comment is awaiting moderation. Thanks!
    • Pawel Grzybek
      Pawel Grzybek

      Yeah, that is not a problem. Essentially if you install things using sudo, the owner of installed package is root (admin). Method provided above will change owner from root to you (it's kind of undo sudo). Additionally, all future installations should be processed without sudo.

      👆 you can use Markdown here

      Your comment is awaiting moderation. Thanks!
      • S
        ShuMo

        Got it!
        It seems clear sudo should be avoided but it's harder to find alternative strategies to overcome permission restrictions. I'm trying to do things 'properly' with ruby gems as well and things there don't seem as clear as the npm video you link to.

        👆 you can use Markdown here

        Your comment is awaiting moderation. Thanks!
        • Pawel Grzybek
          Pawel Grzybek

          I'm really sorry but I can't help you at all with Ruby. The only ruby-based packages that I use are: jekyll and scss_lint. After updating my OS to El Capitan I struggled even with these two. Eventually I found a way to install them, and it finally works.


          sudo gem install -n /usr/local/bin jekyll

          👆 you can use Markdown here

          Your comment is awaiting moderation. Thanks!
  • D
    Dmitri

    There are fortunately better ways now:

    https://github.com/sindreso...

    👆 you can use Markdown here

    Your comment is awaiting moderation. Thanks!
    • Pawel Grzybek
      Pawel Grzybek

      Yeah you right. It's definitely better option when you share computer with other users. If you are the only user of your machine it doesn't really matter. My way is suggested on npm docs. Thanks for sharing a link.

      👆 you can use Markdown here

      Your comment is awaiting moderation. Thanks!
      • D
        Dmitri

        Even if you don't share, it is still better. I've been using the other solution for a few years and had too many problems with messed-up permissions. Plus you are messing with your system folders, which is never good idea. Never had problems since I switched to my local directory - so simple!

        👆 you can use Markdown here

        Your comment is awaiting moderation. Thanks!
        • Pawel Grzybek
          Pawel Grzybek

          I can imagine that I'm not that experienced node user as you are. Probably my requirements are not that high neither. I'll bare in mind your advice. Thanks again.

          👆 you can use Markdown here

          Your comment is awaiting moderation. Thanks!
          • D
            Dmitri

            You welcome, I'm not that experienced either though but happy to share.

            👆 you can use Markdown here

            Your comment is awaiting moderation. Thanks!
    • O
      OzzyLovesBabyShampoo

      Is that better than these steps? https://johnpapa.net/how-to...

      👆 you can use Markdown here

      Your comment is awaiting moderation. Thanks!
      • Pawel Grzybek
        Pawel Grzybek

        It is not better or worse. It is different. This one just changes permissions on current folder. The solution from your link is using node and npm installed via brew. This problem shouldn't apply to npm from brew as the core concept of it to install and link software in correct location to don't deal with permissions at all.

        So. My solution works for node and npm installed via installer. Your link requires other software and shows and alternative way of installation. Brew is amazing by the way.

        I use npm and node from brew now. It's cool and easy to update and no permissions issues.

        👆 you can use Markdown here

        Your comment is awaiting moderation. Thanks!
        • O
          OzzyLovesBabyShampoo

          Brew might be amazing, but I have no idea how to use it. I'm just trying to install Gulp. Thanks for your response.

          👆 you can use Markdown here

          Your comment is awaiting moderation. Thanks!
          • Pawel Grzybek
            Pawel Grzybek

            One day I will write a basic primer to brew. Great idea :)

            👆 you can use Markdown here

            Your comment is awaiting moderation. Thanks!
      • D
        Dmitri

        It was written after and gives many technical details for hacking but IMO misses one important point: The easiest way to install Node on Mac is not via homebrew but by basic direct downloading. Also I am not a fan of deleting package files manually.

        I have written an answer on SO on the subject, also mentioning other sources:

        http://stackoverflow.com/qu...

        👆 you can use Markdown here

        Your comment is awaiting moderation. Thanks!
        • O
          OzzyLovesBabyShampoo

          Thanks. Funny enough, I followed John Papa's steps in my link above, but then ended up uninstalling Homebrew since Gulp wasn't working right at all. And then I installed Gulp simply with sudo. After wasting 4 hours trying to install Gulp without sudo, I got Gulp working in under 5 minutes with sudo and was well on my way to finally figuring out how to use Gulp. Infuriating.

          When I bounce around different links like these (recommended by a SitePoint Premium tutorial on Front End development, btw), I quickly realize that the comments sections on all these articles are FULL of people more advanced than me who are just blindly copy-pasting whatever anyone tells them to try. This is such a moronic way to work. Why hasn't Microsoft or Apple created a simply installer for build tools that actually works without so much wasted time? CodeKit had the right idea and I think at this point there are enough examples out there with Gulp and Webpack that any big company knows what they need to do.

          👆 you can use Markdown here

          Your comment is awaiting moderation. Thanks!
          • D
            Dmitri

            Yes, you get it under 5 min this time and few times more until you won't. If J. Papa guide doesn't let you do it fast, don't use it. Look at the SO link I gave and links there. Ask there if you have more questions. But don't let that "sudo worm eat you", it will haunt you. ;)

            Also homebrew has some hacky sides, it is not for everyone. You don't need it for Node.

            👆 you can use Markdown here

            Your comment is awaiting moderation. Thanks!
  • G
    Greg

    There's a difference between root owning files and a "server running with root priviledges".

    The ownership of the process is determined by who runs the executable, irrespective of the owner of the file.

    If you sudo the npm install, the installation scripts have root privs - a security risk. You're running someone else's code as root. But the installed executables will run with the permissions of whoever runs them.

    Conversely, if you set permissions of your global NPM package dir to yourself, so that you don't have to sudo install, then anything malicious run by you can change the content of binaries - a security risk. That's why binaries in *nix are usually owned by root, but with global read and execute permissions.

    So, there are security risks with both schemes.

    👆 you can use Markdown here

    Your comment is awaiting moderation. Thanks!
  • P
    PTK65

    Wait, you're suggesting people should make directories in /usr owned by them????? Man, just take this article down please. You're telling people to break their machines.

    👆 you can use Markdown here

    Your comment is awaiting moderation. Thanks!
    • Pawel Grzybek
      Pawel Grzybek

      Hi @ptkuxko:disqus .

      I'm not asking people to change the permission recursively on whole /usr directory. Just a three folders in there. What is a potential danger of doing that?

      Actually it is not the hack that I thought of and I published a post about it. This is a way recommended in official npm documentation...

      https://docs.npmjs.com/gett...

      👆 you can use Markdown here

      Your comment is awaiting moderation. Thanks!
      • D
        Dingus

        It would be immensely better to recommend to change the path to a directory in your user's home. What happens if another user on that computer wants to use npm?

        👆 you can use Markdown here

        Your comment is awaiting moderation. Thanks!
        • Pawel Grzybek
          Pawel Grzybek

          Hi. Your are totally right! This solution works for a single users. Actually, now I would recommend using node installed from brew which gives you a right permissions for stuff automatically.

          👆 you can use Markdown here

          Your comment is awaiting moderation. Thanks!
    • K
      KniL

      I break sudo thanks to this guide :)

      👆 you can use Markdown here

      Your comment is awaiting moderation. Thanks!
  • K
    KniL

    I break sudo thanks to this guide, congratulations

    👆 you can use Markdown here

    Your comment is awaiting moderation. Thanks!
  • P
    Precious1519

    https://uploads.disquscdn.c... I've never had a beard and don't know if I like it, but it's growing on me. I'll go now.

    👆 you can use Markdown here

    Your comment is awaiting moderation. Thanks!
  • J
    Joseph Rautenbach

    Please, please don't do this. You'll likely break sudo and have to reinstall: https://askubuntu.com/quest...

    👆 you can use Markdown here

    Your comment is awaiting moderation. Thanks!
    • Pawel Grzybek
      Pawel Grzybek

      Hi.

      You are right. This is an old post and that was the suggestion provided by npm team at the time of writing this article. For macOS users I would suggest using nvm or brew node installation that does all the privileges right out of the box.

      Thanks for your input.

      👆 you can use Markdown here

      Your comment is awaiting moderation. Thanks!
  • M
    MegamanXGold

    I wish I read the comments before I followed the guide. It didn't fix my problem at all, and I have no idea what I might have broken now.

    👆 you can use Markdown here

    Your comment is awaiting moderation. Thanks!
    • Pawel Grzybek
      Pawel Grzybek

      I am happy to help you out with this one. Do you use macOS or Linux?

      👆 you can use Markdown here

      Your comment is awaiting moderation. Thanks!
      • M
        MegamanXGold

        Hello, thank you. I believe I used a command like hash -r, which refreshed some kind of program cache and got it working again. Restarting my VM might also have worked. Perhaps this guide helped more than I thought, and my sudo isn't broken. Not that I'm recommending anything the community deems unsafe, but npm is working again, and without sudo.

        👆 you can use Markdown here

        Your comment is awaiting moderation. Thanks!

Leave a comment

👆 you can use Markdown here

Your comment is awaiting moderation. Thanks!