2016-07-09 07:43:40 +00:00
|
|
|
# How do I install untrusted packages safely? Is it safe to run Composer as superuser or root?
|
2016-05-31 19:57:31 +00:00
|
|
|
|
2022-10-13 14:53:33 +00:00
|
|
|
## Why am I seeing a "Do not run Composer as root/super user" warning/error?
|
|
|
|
|
|
|
|
It was always discouraged to run Composer as root for the reasons detailed below.
|
|
|
|
|
|
|
|
As of Composer 2.4.2, plugins are disabled automatically when running as root and
|
|
|
|
there is no sign that the user is consciously doing this. There are two ways this user consent
|
|
|
|
can be given:
|
|
|
|
|
|
|
|
- If you run interactively, Composer will prompt if you are sure that you want to continue
|
|
|
|
running as root. If non-interactive plugins will be disabled, unless..
|
|
|
|
- If you set the [COMPOSER_ALLOW_SUPERUSER](../03-cli.md#composer-allow-superuser) environment
|
|
|
|
variable to `1`, this also indicates that you intended to run Composer as root and are accepting
|
|
|
|
the risks of doing so.
|
|
|
|
|
|
|
|
## Is it safe to run Composer as superuser or root?
|
|
|
|
|
2017-12-30 20:06:14 +00:00
|
|
|
Certain Composer commands, including `exec`, `install`, and `update` allow third party code to
|
2016-06-01 20:25:50 +00:00
|
|
|
execute on your system. This is from its "plugins" and "scripts" features. Plugins and scripts have
|
|
|
|
full access to the user account which runs Composer. For this reason, it is strongly advised to
|
2022-02-16 13:50:38 +00:00
|
|
|
**avoid running Composer as super-user/root**. All commands also dispatch events which can be
|
|
|
|
caught by plugins so unless explicitly disabled installed plugins will be loaded/executed by **every**
|
|
|
|
Composer command.
|
2016-05-31 19:57:31 +00:00
|
|
|
|
2016-06-01 20:25:50 +00:00
|
|
|
You can disable plugins and scripts during package installation or updates with the following
|
|
|
|
syntax so only Composer's code, and no third party code, will execute:
|
|
|
|
|
2022-08-20 10:23:00 +00:00
|
|
|
```shell
|
2021-10-25 11:11:35 +00:00
|
|
|
php composer.phar install --no-plugins --no-scripts ...
|
|
|
|
php composer.phar update --no-plugins --no-scripts ...
|
2016-06-01 20:25:50 +00:00
|
|
|
```
|
|
|
|
|
2022-02-16 13:50:38 +00:00
|
|
|
Depending on the operating system we have seen cases where it is possible to trigger execution
|
|
|
|
of files in the repository using specially crafted `composer.json`. So in general if you do want
|
|
|
|
to install untrusted dependencies you should sandbox them completely in a container or equivalent.
|
2016-06-01 20:25:50 +00:00
|
|
|
|
2022-02-16 13:50:38 +00:00
|
|
|
Also note that the `exec` command will always run third party code as the user which runs `composer`.
|
2021-10-26 15:43:03 +00:00
|
|
|
|
2022-10-13 14:53:33 +00:00
|
|
|
See the [COMPOSER_ALLOW_SUPERUSER](../03-cli.md#composer-allow-superuser) environment variable for
|
|
|
|
more info on how to disable the warnings.
|