You are not logged in.
- Topics: Active | Unanswered
#1 Today 05:03:23
- furrykef
- Member
- From: Oklahoma City, USA
- Registered: 2024-02-25
- Posts: 15
PKGBUILD issue: file installed by npm has wrong owner
This is a minimal PKGBUILD to demonstrate the issue:
pkgname=fakepkg
pkgver=0.0
pkgrel=1
pkgdesc='Not a real package'
arch=('any')
makedepends=('npm')
package() {
npm install -g --prefix "$pkgdir/usr" vectra@0.2.2
}Run `makepkg`, then run `namcap *.zst`. You should get the following error:
fakepkg E: File (usr/lib/node_modules/vectra/bin/vectra.js) is owned by furrykef:furrykefObviously, the offending uid and gid will be different, but the message should otherwise be the same. Several files will be packaged, but only this one file in the package will have the problem. I have no idea why.
Not every package installed by npm has this issue. In fact, most don't. But there are nonetheless others that do, such as wavefile@11.0.0. I ran into the issue while trying to package a program that happens to have vectra and wavefile as dependencies (specified via the program's package.json rather than in the PKGBUILD like this).
You can work around the issue by chowning everything in "$pkgdir/usr/lib/node_modules" to root:root after running npm, but this step is easily missed and shouldn't be necessary.
Offline
#2 Today 19:02:37
- furrykef
- Member
- From: Oklahoma City, USA
- Registered: 2024-02-25
- Posts: 15
Re: PKGBUILD issue: file installed by npm has wrong owner
I'm surprised this has no replies yet. It could potentially be a sign of a serious security issue. Something appears to be wrong with one of makepkg, fakeroot, or npm, because this shouldn't be happening, and when it happens, the affected files can be overwritten by any program.
Last edited by furrykef (Today 19:03:13)
Offline
#3 Today 19:04:27
- Scimmia
- Fellow
- Registered: 2012-09-01
- Posts: 12,252
Re: PKGBUILD issue: file installed by npm has wrong owner
As you didn't give a working, reproducible example, meh.
Offline
#4 Today 19:30:20
- furrykef
- Member
- From: Oklahoma City, USA
- Registered: 2024-02-25
- Posts: 15
Re: PKGBUILD issue: file installed by npm has wrong owner
What do you mean? You followed the steps I provided and didn't reproduce the error? What's the namcap output?
Offline
#5 Today 21:50:59
- yochananmarqos
- Member
- Registered: 2020-02-05
- Posts: 213
Re: PKGBUILD issue: file installed by npm has wrong owner
Have you tried using the source tarball specifically as mentioned in Nodejs package guidelines?
For example (only relevant arrays and functions):
pkgname=nodejs-vectra
_pkgname=${pkgname#nodejs-}
pkgver=2.2
package() {
npm install -g --prefix "${pkgdir}/usr" "${srcdir}/${_pkgname}-${pkgver}.tgz"
}Offline