From 618026fd3ed34a1b06c3f72f48a74370b0f93ec2 Mon Sep 17 00:00:00 2001 From: William Entriken Date: Wed, 1 Jun 2016 16:25:50 -0400 Subject: [PATCH] More specific language and clearer warning --- ...ow-to-install-untrusted-packages-safely.md | 22 ++++++++++++++----- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/doc/faqs/how-to-install-untrusted-packages-safely.md b/doc/faqs/how-to-install-untrusted-packages-safely.md index 48d52237c..f6c102c20 100644 --- a/doc/faqs/how-to-install-untrusted-packages-safely.md +++ b/doc/faqs/how-to-install-untrusted-packages-safely.md @@ -1,9 +1,19 @@ # How to I install untrusted packages safely? Is it safe to run Composer as superuser or root? -Composer has a plugin system, and plugins are enabled automatically when installed. This means that -they can theoretically be used as an attack vector, and you should not blindly trust any package you -install. For this reason, it is strongly advised to **avoid running Composer as super-user/root**. +Certain Composer commands, including `exec`, `install`, and `update` allow third party code to +execute on your system. This is from its "plugins" and "scripts" features. Plugins and scripts have +full access to the user account which runs Composer. For this reason, it is strongly advised to +**avoid running Composer as super-user/root**. -In some cases, like in CI systems or such where you want to install dependencies blindly, the safest -way to do it is to run `composer install --no-plugins --no-scripts`. This basically disables plugins -and scripts from executing, so that only Composer's code will run. +You can disable plugins and scripts during package installation or updates with the following +syntax so only Composer's code, and no third party code, will execute: + +```sh +composer install --no-plugins --no-scripts ... +composer update --no-plugins --no-scripts ... +``` + +The `exec` command will always run third party code as the user which runs `composer`. + +In some cases, like in CI systems or such where you want to install untrusted dependencies, the +safest way to do it is to run the above command.