Buggy update to JavaScript package manager npm is crashing Linux systems

Lee Bell
@llebeel
23 February 2018

Tweet
Facebook
Google plus
Send to

A SECURITY BUG has been found in one of the most popular JavaScript package managers, which changes ownership of crucial Linux system folders, such as ‘/etc', ‘/usr', and ‘boot', without users' permission.

Found in the Node Package Manager, or npm as it is more commonly called, the bug caused the system to crash and also cause various local apps to crash, or even prevent the system from booting if the ownership of the files is changed.

That's according to reports from users who installed a new npm update, npm v5.7.0, of which the bug seems to have stemmed.

Those users who have encountered the flaw after installing the update - mostly developers and software engineers - said the only way they can see a fix to the bug is by reinstalling their systems entirely, or at least restoring the OS from a previous system image.

"This destroyed 3 production server after a single deploy!," one affected user cried in a GitHub bug report.

But that's not the only one, as many more have taken to Twitter to describe their own encounters with the issue, warning others not to bother with the update.

Dear god... bug in npm changes permissions on / file system destroys productions linux or unix boxes. "sudo npm" will chown "/". https://t.co/94j5uRNTaf
— nixCraft: The Best Linux Blog In the Unixverse (@nixcraft) February 22, 2018

The bad thing about this is, the bug was initially reported by users over a week ago who filed bug reports but was apparently ignored by npm developers.

"By running sudo npm under a non-root user (root users do not have the same effect), filesystem permissions are being heavily modified," said Jared Tiala, the software developer who first made npm aware of the issue, just a few hours after the buggy update went live.

He explained that by running the npm update commands as root, "doesn't result in npm trying to reassign root ownership to all files", so the issue appears to affect only npm update operations prefixed by a sudo command.

"For example, if I run sudo npm --help or sudo npm update -g, both commands cause my filesystem to change ownership of directories such as /etc, /usr, /boot, and other directories needed for running the system," he added.

"It appears that the ownership is recursively changed to the user currently running npm."

Linux doesn't seem to be the only OS impacted, though. Community-driven OS FreeBSD, which is used to power modern servers, desktops, and embedded platforms, is also apparently affected by the bug, according to some of its users.

However, Mac and Windows users haven't reported any issues thus far, and not every Linux user has been impacted either. µ