sudo npm deletes ownership of root

[ecoCuyo]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

After installing node with the following commands
$ sudo curl -sL https://deb.nodesource.com/setup_17.x | sudo -E bash -
$ sudo apt-get install -y nodejs
$ sudo apt-get install -y nodejs
$ sudo npm --version: 8.3.1
$ sudo node --version v17.4.0
$ git clone https://github.com/Koenkk/zigbee2mqtt.git /opt/zigbee2mqtt ... owned by user.group openhabian. openhabian
$ cd /opt/zigbee2mqtt
$ sudo npm ci
I got prompted with
1 high severity vulnerability To address all issues, run: npm audit fix
Run npm install -g npm@8.3.2 to update!
and then:
$ sudo npm audit
Prompts to:
# npm audit report
follow-redirects <1.14.7 Severity: high
Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
fix available via npm audit fix
node_modules/zigbee-herdsman-converters/node_modules/follow-redirects
marked <4.0.10
Severity: high
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
fix available via "npm audit fix"
node_modules/zigbee-herdsman-converters/node_modules/zigbee-herdsman/node_modules/marked
node_modules/zigbee-herdsman/node_modules/marked
typedoc <=0.22.10 || >=1.0.0-dev.1
Depends on vulnerable versions of marked
node_modules/zigbee-herdsman-converters/node_modules/zigbee-herdsman/node_modules/typedoc
node_modules/zigbee-herdsman/node_modules/typedoc
3 high severity vulnerabilities
To address all issues, run:
npm audit fix
When I finally ran the update:
$ sudo npm install -g npm@8.3.2
changed 17 packages, and audited 215 packages in 8s
11 packages are looking for funding
runnpm fund for details
3 moderate severity vulnerabilities
To address all issues, run:
npm audit fix
Run "npm audit" for details.
And just then the system ist destroyed, for example:
$ sudo npm audit
Prompts with:
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
Also many other files belong to 1001 then, e.g. th whole directory /usr/bin :
ls -l /usr/bin/sudo
-rwxr-xr-x 1 1001 1001 147560 Jan 20 2021 /usr/bin/sudo

Expected Behavior

The installation must not change ownership on vital resources of the system, especially it must not revoke the access rights of root!

Steps To Reproduce

1. In this environment Raspberry 4 on Raspbian buster
2. With this config... openhab2 installation
   After installing node with the following commands
   $ sudo curl -sL https://deb.nodesource.com/setup_17.x | sudo -E bash -
$ sudo apt-get install -y nodejs
$ sudo apt-get install -y nodejs
$ sudo npm --version: 8.3.1
$ sudo node --version v17.4.0
$ git clone https://github.com/Koenkk/zigbee2mqtt.git /opt/zigbee2mqtt ... owned by user.group openhabian. openhabian
   $ cd /opt/zigbee2mqtt
$ sudo npm ci
   I got prompted with
   1 high severity vulnerability To address all issues, run: npm audit fix
Run npm install -g npm@8.3.2 to update!
   and then:
   $ sudo npm audit
   Prompts to:
   # npm audit report
follow-redirects <1.14.7 Severity: high
   Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
fix available via npm audit fix
node_modules/zigbee-herdsman-converters/node_modules/follow-redirects
marked <4.0.10
Severity: high
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
fix available via "npm audit fix"
node_modules/zigbee-herdsman-converters/node_modules/zigbee-herdsman/node_modules/marked
node_modules/zigbee-herdsman/node_modules/marked
typedoc <=0.22.10 || >=1.0.0-dev.1
Depends on vulnerable versions of marked
node_modules/zigbee-herdsman-converters/node_modules/zigbee-herdsman/node_modules/typedoc
node_modules/zigbee-herdsman/node_modules/typedoc
3 high severity vulnerabilities
To address all issues, run:
npm audit fix
   When I finally ran the update:
   $ sudo npm install -g npm@8.3.2
changed 17 packages, and audited 215 packages in 8s
11 packages are looking for funding
runnpm fund for details
3 moderate severity vulnerabilities
To address all issues, run:
npm audit fix
Run "npm audit" for details.
   And just then the system ist destroyed, for example:
   $ sudo npm audit
   Prompts with:
   sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
   Also many other files belong to 1001 then, e.g. th whole directory /usr/bin :
   ls -l /usr/bin/sudo
-rwxr-xr-x 1 1001 1001 147560 Jan 20 2021 /usr/bin/sudo

Environment

• npm version: 8.3.1
• Node.js: version v17.4.0
• OS Name: Raspbian
• System Model Name:
• npm config:

; copy and paste output from `npm config ls` here

[ecoCuyo]

Full OS-Info:
$ uname -a
Linux openhab 5.10.63-v7l+ #1496 SMP Wed Dec 1 15:58:56 GMT 2021 armv7l GNU/Linux

[nlf]

this is absolutely a problem. we have begun discussions about how to handle file ownership here npm/rfcs#546

[x-yuri]

@ecoCuyo While the main point is reasonable (npm shouldn't change sudo or other executables), I wonder what makes you run npm --version, node --version, npm ci, and npm audit under sudo? And why do you run npm ci, not npm install?

[nlf]

npm@9 no longer attempts to modify file ownership at all, which should resolve this issue. if you're still seeing problems after updating to the latest npm@9 please feel free to reopen this issue