![]() If this is insecure, then have I somehow missed security good practice for handling node js projects? I know that running sudo npm install -g is really bad practice but is using npm as a user which has write access to your main shell configuration file almost as bad just with a few extra steps in between, or am I lacking an understanding of how user permissions/shell configuration/npm works? ![]() Obviously I do trust most of the programs that I install to not be malicious, however, I do use npm as a package manager for my own projects which is commonly accepted to be a vector for malware due to the sheer number of dependencies each module and it's dependencies can have. I'm concerned that a malicious program that I install on the user level could then trick me into somehow giving up my sudo password through this method. ![]() In malicious hands this could probably be used to edit aliases or append a directory of the attackers choosing to the beginning of the $PATH. My understanding of user permissions is that any process spawned by my user will then have read/write permissions to this file. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |