If Composer should be runned by root, why should it be run by sudo (or sudo doesn't fit also?)

Server Config
1

I have installed Composer this way:

curl -sS https://getcomposer.org/installer -o composer-setup.php
php composer-setup.php --install-dir=/usr/local/bin --filename=composer

For some reason composer.phar isn’t available in the directory of the curl operation, but anyway, I then ran the command composer, and got this output:

Do not run Composer as root/super user! See https://getcomposer.org/root for details

I clicked the link and read that short page but I couldn’t understand it. For example, I couldn’t understand this:

It was always discouraged to run Composer as root for the reasons detailed below.

As of Composer 2.4.2, plugins are disabled automatically when running as root and there is no sign that the user is consciously doing this. There are two ways this user consent can be given:

  • If you run interactively, Composer will prompt if you are sure that you want to continue running as root. If you run non-interactively, plugins will be disabled, unless…
  • If you set the COMPOSER_ALLOW_SUPERUSER environment variable to 1, this also indicates that you intended to run Composer as root and are accepting the risks of doing so.

If Composer developers expect me not to run Composer as root or sudoer, than how sould I run it? Should I create a specific user for it which isn’t a sudoer? How does it help?

Oh and if it helps you help me in any way – I just need Composer for Drupal, nothing more besides Drupal.

2

There is no need to run composer as root. Run composer as the same user that your website is running under (which should not be root).

2 Likes
3

Hello kicken.

I think that this user is www-data.

So, should I just do

passwd www-data # Set a password for user www-data;
su www-data # Switch user to www-data
composer # some composer command

?

Thank you !

4

You don’t need to switch to www-data, you can use sudo instead

sudo -u www-data composer install

For example

1 Like
5

Running Composer as the root user is generally not recommended as it may introduce security risks. Instead, you should run Composer using regular user privileges. However, some commands within Composer may require elevated permissions, and at the same time you can use “sudo” for these specific tasks, without running the full Composer process as the root user. This approach ensures better security while allowing necessary operations to be performed with elevated privileges when needed.

1 Like
6

I am not a Linux expert but in my learning I often see articles saying to not use root. Such as in security - Why is it bad to log in as root? - Ask Ubuntu. The experts (seem) to say do not use root. They say use sudo instead, when it is needed and only when it is needed.

Therefore it is important to understand that you must avoid using root and sudo when it is not necessary. Principle of least privilege - Wikipedia might help.

1 Like
7

That’s not the topic of this discussion so I will only say that I have used root in various operating systems about 30 years and generally didn’t have any problem besides corrupted web browser in Windows once.
If the root account itself is protected by a strong standard keypair AND a password and is used only for standard, well documented and well criticized operations, then in my opinion there shouldn’t be a problem.
I do not use root if a specific application issue a warning about using it as root. For example, I don’t use Composer (PHP dependency manager) as root.

8

Running Composer as root is on-topic. If you know of an article from an expert suggesting use of root in the manner you do then that might help.

9

Oh I thought your comment was general.

Now then, I run Composer only not as root, i.e. not via root or sudo.

The user profile I use for Composer is www-data.

1 Like
10

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.