You are not logged in.
- Topics: Active | Unanswered
#1 2025-01-17 05:03:23
- furrykef
- Member
- From: Oklahoma City, USA
- Registered: 2024-02-25
- Posts: 17
PKGBUILD issue: file installed by npm has wrong owner
This is a minimal PKGBUILD to demonstrate the issue:
pkgname=fakepkg
pkgver=0.0
pkgrel=1
pkgdesc='Not a real package'
arch=('any')
makedepends=('npm')
package() {
npm install -g --prefix "$pkgdir/usr" vectra@0.2.2
}Run `makepkg`, then run `namcap *.zst`. You should get the following error:
fakepkg E: File (usr/lib/node_modules/vectra/bin/vectra.js) is owned by furrykef:furrykefObviously, the offending uid and gid will be different, but the message should otherwise be the same. Several files will be packaged, but only this one file in the package will have the problem. I have no idea why.
Not every package installed by npm has this issue. In fact, most don't. But there are nonetheless others that do, such as wavefile@11.0.0. I ran into the issue while trying to package a program that happens to have vectra and wavefile as dependencies (specified via the program's package.json rather than in the PKGBUILD like this).
You can work around the issue by chowning everything in "$pkgdir/usr/lib/node_modules" to root:root after running npm, but this step is easily missed and shouldn't be necessary.
Offline
#2 2025-01-17 19:02:37
- furrykef
- Member
- From: Oklahoma City, USA
- Registered: 2024-02-25
- Posts: 17
Re: PKGBUILD issue: file installed by npm has wrong owner
I'm surprised this has no replies yet. It could potentially be a sign of a serious security issue. Something appears to be wrong with one of makepkg, fakeroot, or npm, because this shouldn't be happening, and when it happens, the affected files can be overwritten by any program.
Last edited by furrykef (2025-01-17 19:03:13)
Offline
#3 2025-01-17 19:04:27
- Scimmia
- Fellow
- Registered: 2012-09-01
- Posts: 12,457
Re: PKGBUILD issue: file installed by npm has wrong owner
As you didn't give a working, reproducible example, meh.
Offline
#4 2025-01-17 19:30:20
- furrykef
- Member
- From: Oklahoma City, USA
- Registered: 2024-02-25
- Posts: 17
Re: PKGBUILD issue: file installed by npm has wrong owner
What do you mean? You followed the steps I provided and didn't reproduce the error? What's the namcap output?
Offline
#5 2025-01-17 21:50:59
- yochananmarqos
- Member
- Registered: 2020-02-05
- Posts: 213
Re: PKGBUILD issue: file installed by npm has wrong owner
Have you tried using the source tarball specifically as mentioned in Nodejs package guidelines?
For example (only relevant arrays and functions):
pkgname=nodejs-vectra
_pkgname=${pkgname#nodejs-}
pkgver=2.2
package() {
npm install -g --prefix "${pkgdir}/usr" "${srcdir}/${_pkgname}-${pkgver}.tgz"
}Offline
#6 2025-01-18 01:57:58
- furrykef
- Member
- From: Oklahoma City, USA
- Registered: 2024-02-25
- Posts: 17
Re: PKGBUILD issue: file installed by npm has wrong owner
I posted a minimal PKGBUILD in the OP because I was taught to always post a minimal example that reproduces the issue when reporting an issue. Since there seems to be some confusion, though, I'll post the actual PKGBUILD that this is for:
pkgname=sillytavern
pkgver=1.12.10
pkgrel=1
pkgdesc='LLM front end for power users'
arch=('any')
url='https://github.com/SillyTavern/SillyTavern'
license=('AGPL-3.0-only')
depends=('nodejs')
makedepends=('npm')
source=("https://registry.npmjs.org/$pkgname/-/$pkgname-$pkgver.tgz")
noextract=("$pkgname-$pkgver.tgz")
b2sums=('43eeaf24736fd3fb8c086c0f7551bad383ce4323c4de6f22baf33dbd9150545237d5bb8142fe80aec566727be52b7dfcaaf2426c0813f9696a8e96d21ca30686')
package() {
npm install -g --prefix "$pkgdir/usr" "$srcdir/$pkgname-$pkgver.tgz"
}This PKGBUILD is WIP and the program it installs does not run without some adjustments, but this should otherwise qualify as a complete and valid PKGBUILD. If you run namcap on the resulting .zst file, you will find that it will produce exactly the same error that the minimal PKGBUILD in the OP did, which again is "File (usr/lib/node_modules/vectra/bin/vectra.js) is owned by <user>:<user>" (where <user> is the name of the user who ran makepkg).
And now it will hopefully be apparent why I simplified the PKGBUILD the way I did: the npm command here will install various packages from the npmjs repository according to SillyTavern's package.json file. That package.json file includes vectra@0.2.2, and so this command is equivalent to running `npm install -g --prefix "$pkgdir/usr" vectra@0.2.2` plus a lot of other commands that have nothing to do with the problem.
Offline
#7 2025-01-18 03:51:48
- dimich
- Member
- From: Kharkiv, Ukraine
- Registered: 2009-11-03
- Posts: 326
Re: PKGBUILD issue: file installed by npm has wrong owner
It looks like a fakeroot bug. It is reproducible without makepkg, just running npm and bsdtar in fakerooted bash.
Offline
#8 2025-01-18 04:05:48
- dimich
- Member
- From: Kharkiv, Ukraine
- Registered: 2009-11-03
- Posts: 326
Re: PKGBUILD issue: file installed by npm has wrong owner
Ah, 'npm install' sets ownership for usr/lib/node_modules/vectra/bin/vectra.js to current user. Now it doesn't look like a fakeroot bug but like a npm quirk.
Offline
#9 2025-01-18 04:15:09
- furrykef
- Member
- From: Oklahoma City, USA
- Registered: 2024-02-25
- Posts: 17
Re: PKGBUILD issue: file installed by npm has wrong owner
I had a hunch it was npm. But why is it doing that for just that file?
Offline
#10 2025-01-18 04:38:01
- dimich
- Member
- From: Kharkiv, Ukraine
- Registered: 2009-11-03
- Posts: 326
Re: PKGBUILD issue: file installed by npm has wrong owner
But why is it doing that for just that file?
I don't know, probably because it considers the file as executable.
You can fix it in PKGBUILD with
chown -R root:root "$pkgdir/usr"after 'npm install'.
Offline