composer/doc/faqs/how-to-install-untrusted-pa...

# How do I install untrusted packages safely? Is it safe to run Composer as superuser or root?

## Why am I seeing a "Do not run Composer as root/super user" warning/error?

It was always discouraged to run Composer as root for the reasons detailed below.

As of Composer 2.4.2, plugins are disabled automatically when running as root and
there is no sign that the user is consciously doing this. There are two ways this user consent
can be given:

- If you run interactively, Composer will prompt if you are sure that you want to continue
  running as root. If you run non-interactively, plugins will be disabled, unless..
- If you set the [COMPOSER_ALLOW_SUPERUSER](../03-cli.md#composer-allow-superuser) environment
  variable to `1`, this also indicates that you intended to run Composer as root and are accepting
  the risks of doing so.

## Is it safe to run Composer as superuser or root?

Certain Composer commands, including `exec`, `install`, and `update` allow third party code to
execute on your system. This is from its "plugins" and "scripts" features. Plugins and scripts have
full access to the user account which runs Composer. For this reason, it is strongly advised to
**avoid running Composer as super-user/root**. All commands also dispatch events which can be
caught by plugins so unless explicitly disabled installed plugins will be loaded/executed by **every**
Composer command.

You can disable plugins and scripts during package installation or updates with the following
syntax so only Composer's code, and no third party code, will execute:

```shell
php composer.phar install --no-plugins --no-scripts ...
php composer.phar update --no-plugins --no-scripts ...
```

Depending on the operating system we have seen cases where it is possible to trigger execution
of files in the repository using specially crafted `composer.json`. So in general if you do want
to install untrusted dependencies you should sandbox them completely in a container or equivalent.

Also note that the `exec` command will always run third party code as the user which runs `composer`.

See the [COMPOSER_ALLOW_SUPERUSER](../03-cli.md#composer-allow-superuser) environment variable for
more info on how to disable the warnings.
typo to -> do 2016-07-09 07:43:40 +00:00			`# How do I install untrusted packages safely? Is it safe to run Composer as superuser or root?`
Add new FAQ, refs #5382 2016-05-31 19:57:31 +00:00
Update docs about root usage, refs #11093 2022-10-13 14:53:33 +00:00			`## Why am I seeing a "Do not run Composer as root/super user" warning/error?`

			`It was always discouraged to run Composer as root for the reasons detailed below.`

			`As of Composer 2.4.2, plugins are disabled automatically when running as root and`
			`there is no sign that the user is consciously doing this. There are two ways this user consent`
			`can be given:`

			`- If you run interactively, Composer will prompt if you are sure that you want to continue`
Update how-to-install-untrusted-packages-safely.md (#11187) 2022-11-16 12:42:58 +00:00			`running as root. If you run non-interactively, plugins will be disabled, unless..`
Update docs about root usage, refs #11093 2022-10-13 14:53:33 +00:00			`- If you set the [COMPOSER_ALLOW_SUPERUSER](../03-cli.md#composer-allow-superuser) environment`
			variable to `1`, this also indicates that you intended to run Composer as root and are accepting
			`the risks of doing so.`

			`## Is it safe to run Composer as superuser or root?`

Clean up documentation 2017-12-30 20:06:14 +00:00			Certain Composer commands, including `exec`, `install`, and `update` allow third party code to
More specific language and clearer warning 2016-06-01 20:25:50 +00:00			`execute on your system. This is from its "plugins" and "scripts" features. Plugins and scripts have`
			`full access to the user account which runs Composer. For this reason, it is strongly advised to`
Improve untrusted package install docs 2022-02-16 13:50:38 +00:00			`avoid running Composer as super-user/root. All commands also dispatch events which can be`
			`caught by plugins so unless explicitly disabled installed plugins will be loaded/executed by every`
			`Composer command.`
Add new FAQ, refs #5382 2016-05-31 19:57:31 +00:00
More specific language and clearer warning 2016-06-01 20:25:50 +00:00			`You can disable plugins and scripts during package installation or updates with the following`
			`syntax so only Composer's code, and no third party code, will execute:`

Documentation code syntax highlighting (#11011) * Add newline at end of file. * Create a uniformat in the code syntax highlighting by using the main syntax `shell` instead of the alias `bash`/`sh`. * Added (of corrected) the missing code syntax highlighting. * Split the shell commands from the text outputs. * Fix JSON samples formatting. * Checked the commands and updated the text output. 2022-08-20 10:23:00 +00:00			```shell
Use `composer.phar` consistently in the examples 2021-10-25 11:11:35 +00:00			`php composer.phar install --no-plugins --no-scripts ...`
			`php composer.phar update --no-plugins --no-scripts ...`
More specific language and clearer warning 2016-06-01 20:25:50 +00:00			```

Improve untrusted package install docs 2022-02-16 13:50:38 +00:00			`Depending on the operating system we have seen cases where it is possible to trigger execution`
			of files in the repository using specially crafted `composer.json`. So in general if you do want
			`to install untrusted dependencies you should sandbox them completely in a container or equivalent.`
More specific language and clearer warning 2016-06-01 20:25:50 +00:00
Improve untrusted package install docs 2022-02-16 13:50:38 +00:00			Also note that the `exec` command will always run third party code as the user which runs `composer`.
Added link to composer-allow-superuser (#10215) 2021-10-26 15:43:03 +00:00
Update docs about root usage, refs #11093 2022-10-13 14:53:33 +00:00			`See the [COMPOSER_ALLOW_SUPERUSER](../03-cli.md#composer-allow-superuser) environment variable for`
			`more info on how to disable the warnings.`