pdm/security-tools
Public Access
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add check-npm-sudo-config docs and print audit log on setup

Browse Source 
- README: add Scripts section explaining what check-npm-sudo-config.sh
  does, what it checks, and that it is audit-only
- setup.sh: print check-npm-sudo-config log to terminal after initial scan

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
pdmarf
2026-04-18 16:32:34 +01:00
parent 4eee88a004
commit 72a8f37290
2 changed files with 42 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
README.md
View File

@@ -2,6 +2,42 @@
A collection of security scripts versioned in this repository.
## Scripts
### check-npm-sudo-config.sh
Audits npm configuration on a Linux VM to detect cases where npm is — or has
been — configured to install packages into system-owned directories, which
requires `sudo` and creates security risks.
Running `sudo npm install -g` can deposit files owned by root inside your npm
prefix or cache directory. This causes permission errors for non-root users,
encourages further `sudo npm` use to work around them, and means malicious
packages run with root privileges during installation.
**This script is audit-only — it makes no changes.** It reports issues and
prints recommended commands, but you must run those commands yourself.
The script checks:
1. **npm prefix** — flags if it points to `/usr` or `/usr/local` (system-wide, requires sudo)
2. **~/.npmrc** — checks whether the prefix is explicitly pinned to a user directory
3. **PATH** — confirms the npm prefix bin directory is in PATH
4. **Root-owned files in the prefix** — evidence of past `sudo npm` usage
5. **Shell history** — scans `.bash_history` / `.zsh_history` for `sudo npm` commands
6. **npm cache ownership** — root-owned cache files cause EACCES errors
7. **Node version manager** — detects nvm, fnm, or n; flags if n is present without N_PREFIX set
If issues are found, it sends a Telegram alert and logs results to `logs/`.
The correct fix is to configure npm to install global packages into a
user-owned directory (e.g. `~/.npm-global`) so that `sudo` is never needed:
```bash
npm config set prefix ~/.npm-global
export PATH="$HOME/.npm-global/bin:$PATH"
```
## Claude Code Context
This project is maintained with Claude Code. The working directory on macOS is: