Improve untrusted package install docs
parent
0c4cefaaa1
commit
4376153912
|
@ -3,7 +3,9 @@
|
||||||
Certain Composer commands, including `exec`, `install`, and `update` allow third party code to
|
Certain Composer commands, including `exec`, `install`, and `update` allow third party code to
|
||||||
execute on your system. This is from its "plugins" and "scripts" features. Plugins and scripts have
|
execute on your system. This is from its "plugins" and "scripts" features. Plugins and scripts have
|
||||||
full access to the user account which runs Composer. For this reason, it is strongly advised to
|
full access to the user account which runs Composer. For this reason, it is strongly advised to
|
||||||
**avoid running Composer as super-user/root**.
|
**avoid running Composer as super-user/root**. All commands also dispatch events which can be
|
||||||
|
caught by plugins so unless explicitly disabled installed plugins will be loaded/executed by **every**
|
||||||
|
Composer command.
|
||||||
|
|
||||||
You can disable plugins and scripts during package installation or updates with the following
|
You can disable plugins and scripts during package installation or updates with the following
|
||||||
syntax so only Composer's code, and no third party code, will execute:
|
syntax so only Composer's code, and no third party code, will execute:
|
||||||
|
@ -13,10 +15,11 @@ php composer.phar install --no-plugins --no-scripts ...
|
||||||
php composer.phar update --no-plugins --no-scripts ...
|
php composer.phar update --no-plugins --no-scripts ...
|
||||||
```
|
```
|
||||||
|
|
||||||
The `exec` command will always run third party code as the user which runs `composer`.
|
Depending on the operating system we have seen cases where it is possible to trigger execution
|
||||||
|
of files in the repository using specially crafted `composer.json`. So in general if you do want
|
||||||
|
to install untrusted dependencies you should sandbox them completely in a container or equivalent.
|
||||||
|
|
||||||
In some cases, like in CI systems or such where you want to install untrusted dependencies, the
|
Also note that the `exec` command will always run third party code as the user which runs `composer`.
|
||||||
safest way to do it is to run the above command.
|
|
||||||
|
|
||||||
See [Environment variable - COMPOSER_ALLOW_SUPERUSER](../03-cli.md#composer-allow-superuser)
|
See [Environment variable - COMPOSER_ALLOW_SUPERUSER](../03-cli.md#composer-allow-superuser)
|
||||||
for more info on how to disable warning
|
for more info on how to disable warning
|
||||||
|
|
Loading…
Reference in New Issue