• Home
  • News
  • Artificial Intelligence
  • Internet of Things
  • Open Source
  • Hardware
  • Software
  • Security
  • Whitepapers
  • Industry Voice
  • Data Strategy Spotlight
  • Newsletters
  • Whitepapers
    • Inqlogo 120x194
      Five things you should look for in choosing a Testing provider

      Choosing a Testing Partner can be complex.  So what do you look for?  This guide offers insight into the qualities you must look for in choosing a Testing provider.  Download now to learn more.

      Download
      Inqlogo 120x194
      Your questions answered: How to protect your data in the cloud

      The number of successful cyberattacks per year per company has increased by 46% over the last four years. But what really needs to be considered when exploring a solution? What questions need to be asked? Download to find out...

      Download
      Find whitepapers
      Search by title or subject area
      View all whitepapers
  • Follow us
    • Twitter
    • Newsletters
    • Facebook
  • Newsletter
  • Industry Voice
  • Data Strategy Spotlight
The Inquirer
The Inquirer
  • Home
  • News
  • Artificial Intelligence
  • Internet of Things
  • Open Source
  • Hardware
  • Software
  • Security
  • Trending
  • General election
  • Huawei sues FCC
  • Xerox vs HP
  • Galaxy S11
  • McAfee 2020
The Inquirer
  • Developer

Buggy update to JavaScript package manager npm is crashing Linux systems

Changes ownership of crucial Linux system folders without users' permission

Buggy update to JavaScript package manager npm is crashing Linux systems
Buggy update to JavaScript package manager npm is crashing Linux systems
  • Lee Bell
  • Lee Bell
  • @llebeel
  • 23 February 2018
  • Tweet  
  • Facebook  
  •  
  •  
  • Send to  
0 Comments

A SECURITY BUG has been found in one of the most popular JavaScript package managers, which changes ownership of crucial Linux system folders, such as ‘/etc', ‘/usr', and ‘boot', without users' permission.

Found in the Node Package Manager, or npm as it is more commonly called, the bug caused the system to crash and also cause various local apps to crash, or even prevent the system from booting if the ownership of the files is changed.

That's according to reports from users who installed a new npm update, npm v5.7.0, of which the bug seems to have stemmed.

Those users who have encountered the flaw after installing the update - mostly developers and software engineers - said the only way they can see a fix to the bug is by reinstalling their systems entirely, or at least restoring the OS from a previous system image.

"This destroyed 3 production server after a single deploy!," one affected user cried in a GitHub bug report.

But that's not the only one, as many more have taken to Twitter to describe their own encounters with the issue, warning others not to bother with the update.

Dear god... bug in npm changes permissions on / file system destroys productions linux or unix boxes. "sudo npm" will chown "/". https://t.co/94j5uRNTaf

— nixCraft: The Best Linux Blog In the Unixverse (@nixcraft) February 22, 2018

The bad thing about this is, the bug was initially reported by users over a week ago who filed bug reports but was apparently ignored by npm developers.

"By running sudo npm under a non-root user (root users do not have the same effect), filesystem permissions are being heavily modified," said Jared Tiala, the software developer who first made npm aware of the issue, just a few hours after the buggy update went live.

He explained that by running the npm update commands as root, "doesn't result in npm trying to reassign root ownership to all files", so the issue appears to affect only npm update operations prefixed by a sudo command.

"For example, if I run sudo npm --help or sudo npm update -g, both commands cause my filesystem to change ownership of directories such as /etc, /usr, /boot, and other directories needed for running the system,"  he added.

"It appears that the ownership is recursively changed to the user currently running npm."

Linux doesn't seem to be the only OS impacted, though. Community-driven OS FreeBSD, which is used to power modern servers, desktops, and embedded platforms, is also apparently affected by the bug, according to some of its users.

However, Mac and Windows users haven't reported any issues thus far, and not every Linux user has been impacted either. µ

  • Tweet  
  • Facebook  
  •  
  •  
  • Send to  
  • Topics
  • Developer
  • Software
  • computer security
  • Open Source
  • Linux

INQ Latest

china
China's Kylin forks are about to join up for new 'domestic os'

Might need to come up with a better name though

  • Software
  • 12 December 2019
iPhone users are officially more horny than Android fans

There's an app for *that*

  • Controversy
  • 12 December 2019
WhatsApp is giving up on some ageing phones

WhatsAppalava

  • Software
  • 12 December 2019
An ex-Apple executive claims the company spied on his phone after he left
An ex-Apple executive claims the company spied on his phone after he left

American as Apple Spy

  • Controversy
  • 11 December 2019
Back to Top

Most read

Apple's iPhone 12 looks set to boast improved battery life
Apple's iPhone 12 looks set to boast improved battery life
Microsoft debuts its first native Office app for Windows
Microsoft debuts its first native Office app for Linux
An ex-Apple executive claims the company spied on his phone after he left
An ex-Apple executive claims the company spied on his phone after he left
Facebook tells the US, UK and Australia that it won't be breaking chat encryption
Facebook tells the US, UK and Australia that it won't be breaking chat encryption
Silicon Valley: Final episode review
Silicon Valley: Final episode review
  • Contact
  • Marketing solutions
  • Enterprise IT Events
  • Incisive Media
  • Terms & conditions
  • Policies
  • Careers
  • Twitter
  • Newsletters
  • Facebook

© Incisive Business Media (IP) Limited, Published by Incisive Business Media Limited, New London House, 172 Drury Lane, London WC2B 5QR, registered in England and Wales with company registration numbers 09177174 & 09178013

Digital publisher of the year
Digital publisher of the year 2010, 2013, 2016 & 2017