composer: dont execute anything with active `sudo session`
its common that an update of composer happens with sudo, as composer is installed in a place which is only changeable with higher privileges.
Its not uncommon, that an self-update is made directly before an install/updaten command. To avoid easy privilege escalation in case of an evil attack (like a worm spreading trough the composer ecosystem) we should add a check for an active sudo session, and block further execution if found.
Such malware could spread silently as sudo allows sudo -n true which allows for testing for an active session, without triggering the typical interactive password input.
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Reactions: 2
- Comments: 25 (25 by maintainers)
Commits related to this issue
- Add COMPOSER_DISABLE_ROOT_WARN env var and skip root warning on self-update command as well, refs #5119 — committed to composer/composer by Seldaek 8 years ago
- Rename COMPOSER_DISABLE_ROOT_WARN to COMPOSER_ALLOW_SUPERUSER, refs #5119 — committed to composer/composer by Seldaek 8 years ago
Thanks @Seldaek for the quick move, seems like a fair compromise to me. Moral of the story, think about it twice before arguing with @curry684 π
At least I documented it π But yeah itβs kinda ALLOW_SUDO as well as allowing root though? Naming is hard. Discuss.
Renamed to COMPOSER_ALLOW_SUPERUSER