1
0
Fork 0

Improve untrusted package install docs

pull/10541/head
Jordi Boggiano 2022-02-16 14:50:38 +01:00
parent 0c4cefaaa1
commit 4376153912
No known key found for this signature in database
GPG Key ID: 7BBD42C429EC80BC
1 changed files with 8 additions and 5 deletions

View File

@ -3,7 +3,9 @@
Certain Composer commands, including `exec`, `install`, and `update` allow third party code to Certain Composer commands, including `exec`, `install`, and `update` allow third party code to
execute on your system. This is from its "plugins" and "scripts" features. Plugins and scripts have execute on your system. This is from its "plugins" and "scripts" features. Plugins and scripts have
full access to the user account which runs Composer. For this reason, it is strongly advised to full access to the user account which runs Composer. For this reason, it is strongly advised to
**avoid running Composer as super-user/root**. **avoid running Composer as super-user/root**. All commands also dispatch events which can be
caught by plugins so unless explicitly disabled installed plugins will be loaded/executed by **every**
Composer command.
You can disable plugins and scripts during package installation or updates with the following You can disable plugins and scripts during package installation or updates with the following
syntax so only Composer's code, and no third party code, will execute: syntax so only Composer's code, and no third party code, will execute:
@ -13,10 +15,11 @@ php composer.phar install --no-plugins --no-scripts ...
php composer.phar update --no-plugins --no-scripts ... php composer.phar update --no-plugins --no-scripts ...
``` ```
The `exec` command will always run third party code as the user which runs `composer`. Depending on the operating system we have seen cases where it is possible to trigger execution
of files in the repository using specially crafted `composer.json`. So in general if you do want
to install untrusted dependencies you should sandbox them completely in a container or equivalent.
In some cases, like in CI systems or such where you want to install untrusted dependencies, the Also note that the `exec` command will always run third party code as the user which runs `composer`.
safest way to do it is to run the above command.
See [Environment variable - COMPOSER_ALLOW_SUPERUSER](../03-cli.md#composer-allow-superuser) See [Environment variable - COMPOSER_ALLOW_SUPERUSER](../03-cli.md#composer-allow-superuser)
for more info on how to disable warning for more info on how to disable warning