I'm using the following code to install node:
cd /usr/local/src/
wget http://nodejs.org/dist/v0.10.25/node-v0.10.25.tar.gz
tar -xvf node-v0.10.25.tar.gz
cd node-v0.10.25
./configure
make
make install
# node.js links to make sudo work right
ln -s /usr/local/bin/node /usr/bin/node
ln -s /usr/local/lib/node /usr/lib/node
ln -s /usr/local/bin/npm /usr/bin/npm
ln -s /usr/local/bin/node-waf /usr/bin/node-waf
The script requires root privileges, and I'm wondering if that opens up the possibility of any security holes, or anything like that. I want to install node so that all user can use it, but I don't want it to have any root privileges unless the user has them and explicitly uses them (via sudo). Same with installed npm packages.
It's fine, and the same as when you install stuff as root using a package manager.
The binaries are written to disk with root as the owner and sensible permissions, so that people cannot overwrite them. When a user executes the binaries they are run under his account, with his privileges on the system. (unless he runs with sudo)
For a binary to have elevated privileges when a normal user runs it without sudo it needs the SUID bit set, This needs to be set explicitly. /bin/ping is an example of that:
user@dek:/bin$ ls -l /bin/ping
-rwsr-xr-x 1 root root 44168 May 7 22:51 /bin/ping
As Ignacio points out you could run most of the script unprivileged, up until 'make install' but you would have to fix the binaries owners afterwards (chown root:root ) as they would be owned by your user account who compiled (created) them.
If you've verified that the tarball you've downloaded is legitimate then there should be no problem installing as root, i.e. sudo make install. Building should always be done as non-root just in case though.