Safely using Composer on Centmin

jscott · Apr 16, 2019

Server Type: openvz
CentOS Version: 7.6
Centmin Mod: 123.09beta01.b126

I am working on converting a project that uses composer to Centminmod.

The problem is that composer advises you not to use it as a root user!
With good reason!

Any suggestions on how to set up a php app with composer as a non-root in Centmin? I have always just used the default setup...

Thanks
-Jscott

eva2000 · Apr 16, 2019

So you ran composer as root… – Snipe.Net

Many people run Composer as root because they misunderstand how Composer works. If you installed Composer globally, it wouldn’t be odd for you to have to install it as root – meaning the Composer binary itself.

But, and here’s the tricksy part, installing Composer is not the same thing as composer install. Installing Composer means that the Composer dependency management tool is now installed on your server, while composer install is a specific command you send to Composer to have it actually pull down those dependencies, based on the composer.lock file that was (usually) provided by whatever software you’re trying to set up. If you install Composer globally, you can use the same Composer binary to manage dependencies for many projects – but each project will have its own composer.json and composer.lock, which Composer uses to figure out what it needs to download for you.
Click to expand...

jscott · Apr 17, 2019

Sorry, I was not clear in what I am asking.

I do have composer installed globally, and it is working fine.

I question comes up when I want to use <code>composer update</code> or <code>composer upgrade</code> to update dependencies for my php application.

Currently they are ignoring the warning and running as root.

I want to remove that exploit path.

Currently, the domains public directory is owned by root and is a member of the nginx group

Should I create a user for the applications updates and add that user to the nginx group? This is kind of pushing my linux knowledge...

-Thanks
jscott

eva2000 · Apr 17, 2019

jscott said: ↑

Should I create a user for the applications updates and add that user to the nginx group?
Click to expand...

See the linked article which outlines the proper fix for running composer as a non root user which is to use non root user belonging to webserver group = nginx for centmin mod

Log in / Register

Forums

Want more timely Centmin Mod News Updates?

Safely using Composer on Centmin

jscott Member

eva2000 Administrator Staff Member

jscott Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Want more timely Centmin Mod News Updates?

Safely using Composer on Centmin

jscott Member

eva2000 Administrator Staff Member

jscott Member

eva2000 Administrator Staff Member

.