Bug 30220 - Permission issue in /usr/lib/node_modules when trying to install yarn globally
Summary: Permission issue in /usr/lib/node_modules when trying to install yarn globally
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Mageia Bug Squad
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-03-29 22:55 CEST by Kristoffer Grundström
Modified: 2022-04-03 09:29 CEST (History)
3 users (show)

See Also:
Source RPM: npm
CVE:
Status comment:

Attachments
Output from trying to install yarn plus equivalent info (3.67 KB, text/plain)
2022-03-29 22:59 CEST, Kristoffer Grundström 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Kristoffer Grundström 2022-03-29 22:55:17 CEST 
Description of problem: I installed npm using urpmi and upgraded npm using npm install --upgrade npm and that went just fine, but as soon as I ran npm install --global yarn it failed with a permission issue displayed in the attached file.

Version-Release number of selected component (if applicable): 6.14.15

How reproducible: All the time.

Steps to Reproduce:
1. Install npm using urpmi.
2. Run npm install --upgrade npm
3. Run npm install --global yarn.
4. The installation fails due to not having write access to /usr/lib/node_modules.
Comment 1 Kristoffer Grundström 2022-03-29 22:59:09 CEST 
Created attachment 13210 [details]
Output from trying to install yarn plus equivalent info

CC: (none) => lovaren

Comment 2 Kristoffer Grundström 2022-03-29 23:04:28 CEST 
If I execute npm to install with --global ( that's what we're supposed to be doing according to https://classic.yarnpkg.com/lang/en/docs/install/#debian-stable ) wouldn't that mean that my user would be able to install through sudo or did I misunderstand --global?

https://classic.yarnpkg.com/en/docs/cli/global shows nothing about root permission.
Comment 3 Dave Hodgins 2022-03-30 00:12:05 CEST 
How is this a bug? Installing a package for all users of the system requires
root privileges, as it should. As per the page referenced in comment 2, see the
"Defining install location" if you want to install things just for that user.

CC: (none) => davidwhodgins

Comment 4 Kristoffer Grundström 2022-03-30 01:00:12 CEST 
(In reply to Dave Hodgins from comment #3)
> How is this a bug? Installing a package for all users of the system requires
> root privileges, as it should. As per the page referenced in comment 2, see
> the
> "Defining install location" if you want to install things just for that user.

Uuuuuuhm. npm instructions doesn't tell the user to become root for the installation to work so the guide is somewhat vague.

Can there be a sentence (in case of this error) that points a user to try the command as sudo?
Comment 5 Dave Hodgins 2022-03-30 01:17:53 CEST 
From "Defining install location" ...
 You can configure the base location with yarn config set prefix <filepath>. For example, yarn config set prefix ~/.yarn will ensure all global packages will have their executables installed to ~/.yarn/bin.

That should stop it from trying to write to the system directories in /usr.
Comment 6 Kristoffer Grundström 2022-03-30 01:22:57 CEST 
(In reply to Dave Hodgins from comment #5)
> From "Defining install location" ...
>  You can configure the base location with yarn config set prefix <filepath>.
> For example, yarn config set prefix ~/.yarn will ensure all global packages
> will have their executables installed to ~/.yarn/bin.
> 
> That should stop it from trying to write to the system directories in /usr.

Yes, but the npm package that we have doesn't seem to take that into consideration when installing yarn.

Anyway to adjust that?
Comment 7 Dave Hodgins 2022-03-30 01:40:32 CEST 
Just tried it in an install where I hadn't used npm before ...
[dave@x8v ~]$ npm install yarn

> yarn@1.22.18 preinstall /home/dave/node_modules/yarn
> :; (node ./preinstall.js > /dev/null 2>&1 || true)

npm WARN saveError ENOENT: no such file or directory, open '/home/dave/package.json'
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN enoent ENOENT: no such file or directory, open '/home/dave/package.json'
npm WARN dave No description
npm WARN dave No repository field.
npm WARN dave No README data
npm WARN dave No license field.

+ yarn@1.22.18
added 1 package and audited 1 package in 1.417s
found 0 vulnerabilities

So yarn was installed in ~/node_modules/.

In https://classic.yarnpkg.com/en/docs/cli/global the top part has ...
Install packages globally on your operating system.
# yarn global <add/bin/list/remove/upgrade> [--prefix]

The # preceding the yarn global command indicates it should be run by root.

As to the rest of the examples, either the author has modified their system
to allow regular users to write to /usr/local, or is using a distribution where
that is the default. According to https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s09.html /usr/local is for system administrators (aka root) to install
packages, not regular users.
Comment 8 Lewis Smith 2022-04-03 09:29:05 CEST 
Going back to the beginning,
> Run npm install --global yarn
> The installation fails due to not having write access to /usr/lib/node_modules
this in itself suggests the sensible need to be root to write to /usr/lib. You did not say whether you ran it as normal user, but it looks like that.

From the previous comment,
> The # preceding the yarn global command indicates it should be run by root
which is standard notation. And the last paragraph above is definitive.

So this is not a Mageia bug, just a usability thing. Closing it.

Status: NEW => RESOLVED
CC: (none) => lewyssmith
Resolution: (none) => INVALID
Note You need to log in before you can comment on or make changes to this bug.