You might not need sudo

by Jack Tarantino

I've noticed a trend recently of junior developers and people writing documentation for developer tools to use the sudo command to get stuff done. For most purposes, sudo is overkill and it's misuse can introduce bugs and vulnerabilities into your application. Here's an example I found just today:

Execute $ sudo npm install

The problem

This is a great example of something where you probably don't need sudo. The sudo command should only be used when you need to make changes to files owned by root or when you need to make changes to files that don't belong to your current user. Even then, you should probably just use su otherUser and make the changes as that user so you don't accidentally break something.

If you're installing packages with npm, you're likely doing that for a Node-based webapp. For security reasons, you want to start that webapp as a user with restricted permissions. This is because should there be a vulnerability in your application, if an attacker can execute arbitrary code on your system as that user, you want them to only be able to affect a small part of it and not the entire box. Using sudo here can cause permissions/access problems if you execute the application as a normal user because the packages will all belong to root and your user shouldn't have access to root's files. On the other hand, if you try to circumvent this problem by running the application as root or by using sudo, you've given your application root-level access to the entire filesystem and any attacker who exploits the application can change whatever they want.

You don't just need to worry about attackers though. What's significantly more likely is that you/your application will accidentally delete or modify files it's not supposed to have access to.

The solution

When working on your filesystem, execute code as yourself(or another user where appropriate) first and then resort to more powerful measures if you run into problems. If you've already done something like the code above and you're getting access/permission errors, it's easy to fix. You just need to change the user and group for those files. In most cases, the user and group name are the same but if you're on OS X for example, the group name might be something like 'staff'. You can find out your user and group names by entering the following command: ls -la ~. You should see a list of all the files in your home directory with their permissions, size and last-modified date. So, given that information, you can fix your errant node_modules/ folder with the following command:

$ sudo chown -R USERNAME:GROUP ./*

The sudo is necessary in this case because you have to change files owned by root. The -R tells chown to change the owner recursively for all the files in all the subdirectories. The ./* at the end is just indicating that the target files are everything in this directory. If you only want to change one particular directory, substitute that pattern for the name of the directory.

And there you have it! You can now run your application normally without needing to use sudo and without exposing your whole filesystem to your application. This post's title was inspired by the recent You might not need jQuery article/debacle. If you have thoughts, questions or comments, send me a message! If you would like support or just want to help the open source community, leave a donation as well ;).