Is the "--no-scripts" option enough to account for the security concerns about running composer as root?

php composer-php root sudo
12,930

Solution 1

Best practice is not to use sudo for composer commands at all. If you need sudo for composer, it usually points at your project's file permissions not being setup correctly.

E.g. you should have a non-root user owning the projects directory, and you should run the needed commands as that user, without requiring sudo. If you need to run as root, it probably means that you did so in one of your previous runs, and already messed up your file permissions.

(Best practice is also not running install in production in any case, but at least you are not running update)

In the rarer cases where you need to run composer as a superuser, and you are not on a very constrained environment (say, building a Docker image), you should pay attention to the official guidance and not only use --no-scripts, but also the parameter --no-plugins, so you are only doing file copying and not executing other scripts.

Solution 2

Run as a user who has privileges to delete the "files and folders" you're talking about. If such a user does not exist, create one, assign ownership/privileges and then run composer under that user.
Simply running it as root just to delete a handful of known folders is a weak argument.

Share:
12,930
Čamo
Author by

Čamo

Updated on June 13, 2022

Comments

  • Čamo
    Čamo almost 2 years

    I would like to make .sh file for automatic deploy web pages from github to production. I need to run composer install in it but as I run it, it throws me a warning:

    "Do not run composer install as root super user!"

    I found out this is because of security reasons. But I need to run also other commands which needs to e.g. delete some files and directories.

    The solution I found to fix this is:

    composer install --no-scripts --no-interaction

    The question is: Is it enough? Is --no-script the solution or not? What is the best practice regarding running composer as root?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Your requirements could not be resolved to an installable set of packages. for running an application
Open file or application as root from GUI
Class 'Form' not found in Laravel 7
What is composer in laravel?
Composer Curl error 60: SSL certificate problem: unable to get local issuer certificate
Safely edit a third party composer (vendor) package in Laravel & prevent losing customized changes on release of a new version of the package
New Symfony 3 installation: Could not open input file: app/console in composer install
Class 'Predis\Client' not found in Laravel
Run composer dump-autoload from controller in laravel 5
Your requirements could not be resolved to an installable set of packages