Serious bug (overwrites all /usr/bin permissions) with the Debian-based install script

For years I've successfully installed Node-RED on 50+ rpi zeros via the Debian-based install script at Running on Raspberry Pi : Node-RED. However the latest script appears to have a bug where during the install process files under /usr/bin/* ownership is completely overwritten with current user ("pi") which disables sudo and su. I've replicated the issue several times today with a fresh Raspberry Pi OS Lite image with only Node-RED as the only install via script after first boot.

Install command: bash <(curl -sL https://raw.githubusercontent.com/node-red/linux-installers/master/deb/update-nodejs-and-nodered) --node16

Log file:
OLD nodejs 0 :
NEW nodejs 16 :

Started : Thu 14 Oct 16:43:00 PDT 2021
Running for user pi at /home/pi
Failed to stop nodered.service: Unit nodered.service not loaded.
Found global nodes: :

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Reading package lists...
Building dependency tree...
Reading state information...
Package 'nodered' is not installed, so not removed
The following package was automatically installed and is no longer required:
python-colorzero
Use 'sudo apt autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Reading package lists...
Building dependency tree...
Reading state information...
Package 'nodejs-legacy' is not installed, so not removed
Package 'nodejs' is not installed, so not removed
Package 'npm' is not installed, so not removed
The following package was automatically installed and is no longer required:
python-colorzero
Use 'sudo apt autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Versions: node:v16.9.1 npm:7.21.1
npm WARN using --force Recommended protections disabled.
Now install Node-RED

added 294 packages in 9m

Terminal:
Running Node-RED install for user pi at /home/pi on raspbian

This can take 20-30 minutes on the slower Pi versions - please wait.

Stop Node-RED
Remove old version of Node-RED
Remove old version of Node.js
Install Node.js for Armv6 v16.9.1 Npm 7.21.1
Clean npm cache
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
Install Node-RED core
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
Move global nodes to local -
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
Npm rebuild existing nodes ✘
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
Install extra Pi nodes ✘
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
Add shortcut commands
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
Update systemd script ✘
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

All done.
You can now start Node-RED with the command node-red-start
or using the icon under Menu / Programming / Node-RED
Then point your browser to localhost:1880 or http://{your_pi_ip-address}:1880

sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
pi@zero8:~ $

What version of the OS is that, and which iso? Are you doing anything to do with users after install?

The latest Raspberry Pi OS Lite image which currently is:

• Release date: May 7th 2021
• Kernel version: 5.10

The image is not customized and after first boot I manually run the Node-RED install script.

I've also tried to upgrade Node-RED on other rpi's that have been up for awhile (various Node-RED versions) and I'm running into the same issue, ownership for files under /usr/bin/* is modified from root user to pi user during the upgrade which kills sudo and su. It appears to be a new bug, because I've successfully installed and upgraded Node-RED countless times before via the same install script.

It appears to be the install of nodejs that does it. Do you get the same problem if you go for 12 or 14?

Good idea, I'll try installing nodejs 12 or 14.

I think that bit must have changed recently, I didn't know there "was* a 16 available for the zero.

I've been running node 16.6.1 on my pi zero w's,
I have a script to install it for them: GitHub - HaroldPetersInskipp/Raspberry-Pi-Scripts: Scripts for use with raspberry pi devices

update: --node14 option installed without any issue. It appears --node16 on an armv6 (pi zero) will kill sudo and hose the system.

nodejs has not been officially supported on armv6 starting with v12, however Node-RED install script is aware of this and has been installing the unofficial binaries for v12 and newer.

I parsed the script https://raw.githubusercontent.com/node-red/linux-installers/master/deb/update-nodejs-and-nodered briefly, but I could not find an obvious red flag that's related v16.

maybe the issue is related to npm 7.21.1 during the "Clean npm cache"?

I think we may need to wait for one of the developers to see this.

have you tried just installing the node16 manually (on a clean pi) - does that work ok ?
If so did you then try the sudo npm cache clean --force you mention to see if that does indeed break it ?

I have pushed a change that updates the script to pull the latest levels so maybe it was a bug that they have fixed.. or maybe not...

Unfortunately the lastest levels of nodejs (16.11.1) is still causing issues with /usr/bin/* that kills sudo.

Next I'll reset the permissions on /usr/bin/* and try to manually run sudo npm cache clean --force.

Upgrade from nodejs 14 to 16:
Running Node-RED install for user pi at /home/pi on raspbian

This can take 20-30 minutes on the slower Pi versions - please wait.

Stop Node-RED
Remove old version of Node-RED
Remove old version of Node.js v14.17.6
Install Node.js for Armv6 v16.11.1 Npm 8.0.0
Clean npm cache
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
Install Node-RED core
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
Move global nodes to local -
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
Npm rebuild existing nodes ✘
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
Install extra Pi nodes ✘
...truncated...

Current version:
npm -v
8.0.0
node -v
v16.11.1

Update: After resetting /usr/bin/* permission, I successfully ran sudo npm cache clean --force without any change to the sudo.

However when I manually ran the next sudo cmd in the script sudo npm i -g --unsafe-perm --no-progress --no-update-notifier --no-audit --no-fund node-red@"$NODERED_VERSION_SELECTION" sudo owner was changed from user "root" to user "pi" which disabled sudo.

Terminal output:
pi@zero8:/tmp/usr $ sudo npm i -g --unsafe-perm --no-progress --no-update-notifier --no-audit --no-fund node-red@"$NODERED_VERSION_SELECTION"

changed 294 packages in 11m
pi@zero8:/tmp/usr $ sudo ls
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

Any chance you can go back to the good state and then redo that command but without the —unsafe-perm flag ?

Unfortunately removal of --unsafe-perm did not help.

Terminal output:
pi@zero8:~ $ npm -v
8.0.0
pi@zero8:~ $ node -v
v16.11.1
pi@zero8:~ $ sudo ls
pi@zero8:~ $ sudo npm i -g --no-progress --no-update-notifier --no-audit --no-fund node-red@"$NODERED_VERSION_SELECTION"

changed 294 packages in 8m
pi@zero8:~ $ sudo ls
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

so it looks like npm is somehow seriously messed up - not sure what we can do about that apart from not allowing install on node16 on arm6 (unless they fix it - which as it's not officially supported may not happen)

Thanks for your help with this issue, at this point I feel the issue is severe enough that I agree with removing the node16 option for armv6 devices.

It's disappointing that the Node.js team decided to remove official support for armv6 since the still in production tiny but clearly mighty Raspberry Pi Zero small form factor is an awesome Node-RED platform.

OK have pushed a "fix" to the script to exit if you ask for node16 on an armv6. Hopefully it may get fixed and we can reinstate it.

Has it been reported?

@HaroldPetersInskipp posted a link in post #5 that installs 16.6.1. It would be interesting to know whether that works ok for you, and whether modifying it to install the latest v16 works/fails

I pushed an updated script for installing node v16.11.1 on armv6 pi's. So far I've tested updating one of my pi zero w from an existing install of "node v16.6.1" and "node-red v2.0.5" to "node v16.11.1" via my script and then to "node-red v2.0.6" with the Debian-based install script.

The only issue I noticed was I was missing a symlink to "node-red-pi" in /usr/bin but I could still run "node-red".

The above issue could well have been my own fault though.