Public Access

Go to file

pdmarf 72a8f37290 Add check-npm-sudo-config docs and print audit log on setup

- README: add Scripts section explaining what check-npm-sudo-config.sh
  does, what it checks, and that it is audit-only
- setup.sh: print check-npm-sudo-config log to terminal after initial scan

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-18 16:32:34 +01:00

.gitignore

Remove committed logs and ignore all *.log files

2026-04-18 09:58:39 +01:00

check-nextjs-rce.sh

Add Telegram alerts, setup script, and cron registration

2026-04-17 22:11:58 +01:00

check-npm-sudo-config.sh

Add file logging to check-npm-sudo-config.sh v1.0

2026-04-18 10:07:29 +01:00

npm-security-check.sh

Only send Telegram alert for critical issues, not warnings

2026-04-17 22:58:14 +01:00

README-scanner.md

Initial commit: consolidate security scripts

2026-04-17 21:51:27 +01:00

README.md

Add check-npm-sudo-config docs and print audit log on setup

2026-04-18 16:32:34 +01:00

setup.sh

Add check-npm-sudo-config docs and print audit log on setup

2026-04-18 16:32:34 +01:00

README.md

Security Tools

A collection of security scripts versioned in this repository.

Scripts

check-npm-sudo-config.sh

Audits npm configuration on a Linux VM to detect cases where npm is — or has been — configured to install packages into system-owned directories, which requires sudo and creates security risks.

Running sudo npm install -g can deposit files owned by root inside your npm prefix or cache directory. This causes permission errors for non-root users, encourages further sudo npm use to work around them, and means malicious packages run with root privileges during installation.

This script is audit-only — it makes no changes. It reports issues and prints recommended commands, but you must run those commands yourself.

The script checks:

npm prefix — flags if it points to /usr or /usr/local (system-wide, requires sudo)
~/.npmrc — checks whether the prefix is explicitly pinned to a user directory
PATH — confirms the npm prefix bin directory is in PATH
Root-owned files in the prefix — evidence of past sudo npm usage
Shell history — scans .bash_history / .zsh_history for sudo npm commands
npm cache ownership — root-owned cache files cause EACCES errors
Node version manager — detects nvm, fnm, or n; flags if n is present without N_PREFIX set

If issues are found, it sends a Telegram alert and logs results to logs/.

The correct fix is to configure npm to install global packages into a user-owned directory (e.g. ~/.npm-global) so that sudo is never needed:

npm config set prefix ~/.npm-global
export PATH="$HOME/.npm-global/bin:$PATH"

Claude Code Context

This project is maintained with Claude Code. The working directory on macOS is:

/Users/petermarfleet/code/bin/security

To resume work in Claude Code from this directory:

cd /Users/petermarfleet/code/bin/security
claude

Cloning to a New Machine

If git is not installed (e.g. a fresh LXC/VM):

apt install git -y

Then clone and run setup:

On Tailscale:

git clone http://100.120.125.113:3000/pdm/security-tools.git
cd security-tools
bash setup.sh

Without Tailscale:

git clone https://gitea.pdmarf.co.uk/pdm/security-tools.git
cd security-tools
bash setup.sh

To clone to a specific path:

git clone http://100.120.125.113:3000/pdm/security-tools.git /path/to/destination

Activating on a New VM

After cloning, run setup.sh once. It will:

Ask for your Telegram bot token and chat ID
Register cron jobs to run scans daily at 08:00
Send a test Telegram message confirming the VM is active
Create a logs/ folder — logs are kept for 60 days then auto-deleted

Updating an Existing VM

When changes are pushed to this repo, update any VM by running:

cd ~/security-tools
git pull
bash setup.sh

setup.sh is safe to re-run — it skips steps already completed.