What are the risks of running 'sudo pip'?
When you run pip
with sudo
, you run setup.py
with sudo
. In other words, you run arbitrary Python code from the Internet as root. If someone puts up a malicious project on PyPI and you install it, you give an attacker root access to your machine. Prior to some recent fixes to pip
and PyPI, an attacker could also run a man in the middle attack to inject their code when you download a trustworthy project.
sudo pip: why, why not and alternatives
Unless you want or have to install a binary, service or dependency globally, you would not want to use sudo pip
. As you surmise correctly, it installs your dependency globally, and this may cause inconsistencies while developing.
The more conventional thing to do nowadays is to use a virtualenv with which to install your dependencies. This way, anything you do with installation is local to that specific virtualenv instance of Python.
sudo pip install VS pip install --user
$ sudo pip install
Installs the package globally in your python installation, i.e. for all users.
$ pip install --user
Installs to the local user directory, i.e. ~/.local/lib/python -- just you.
Example:
$ sudo pip install jupyter
$ jupyter notebook
Will run jupyter, open a web browser, allow you to work with notebooks.
$ pip install --user jupyter
$ jupyter notebook
Will do nothing until your local directory has been added to your PATH.
There was recently malicious code included in pypi. Never use sudo to install with pip. This is the same as running a virus as root. Either add your local folder to your PATH or use a virtualenv.
What is the difference between pip install and sudo pip install?
pip install
Will run pip install
as the current user
sudo pip install
Will run pip install
with the security privileges of another user, root
for example.
You normally need to use sudo
to install a package on a system.
You may want to read linux-101-introduction-to-sudo
Getting Permission Denied when running pip as root on my Mac
Use a virtual environment:
$ virtualenv myenv
.. some output ..
$ source myenv/bin/activate
(myenv) $ pip install what-i-want
You only use sudo
or elevated permissions when you want to install stuff for the global, system-wide Python installation.
It is best to use a virtual environment which isolates packages for you. That way you can play around without polluting the global python install.
As a bonus, virtualenv does not need elevated permissions.
What is most secure way to use `pip` to maintain Python packages?
You probably want to look at using a virtualenv. To quote the docs:
Virtualenv is a tool to create isolated Python environments. The basic problem
being addressed is one of dependencies and versions, and indirectly
permissions.
Virtualenv will create a folder with an isolated copy of python, an isolated pip and an isolated site-packages. You're thinking that this is the same as option 3 because you're taking that advice you linked at face value and not reading into it:
If you give yourself write privilege to the system site-packages,
you're risking that any program that runs under you (not necessarily
python program) can inject malicious code into the system
site-packages and obtain root privilege.
The problem is not with having access to site-packages (you have to have privilages for site-packages to be able to do anything). The problem is with having access to the system site-packages. A virtual environment's site-packages does not expose root privilages to malicious code the same as the one that your entire system is using.
However, I see nothing wrong with using sudo pip
for well known and familiar packages. At the end of the day, it's like installing any other program, even non-python. If you go to its website and it looks honest and you trust it, there's no reason not to sudo.
moreover, pip is pretty safe - it uses https for pypi and if you --allow-external
it will download packages from third-party, but will still keep checksums on pypi and compare them. For third-party with no checksum you need to explicitly call --allow-unverified
which is the only option considered unsafe.
As a personal note, I can add that I use sudo pip most of the times, but as a WEB developer virtualenv is kind of a day-to-day thing, and I can recommend using it as well (especially if you see anything sketchy but you still want to try it out).
How can I see what packages were installed using `sudo pip install`?
any modules you installed with sudo
will be owned by root, so you can open your shell/terminal, cd
to site-packages
directory & check the directories owner with ls -la
, then any that has root
in the owner column is the one you want to uninstall.
Install pip libraries for root user
I think you can get what you need with a virtual environment.
You need to create a virtual environment specifically for that script. You will install all the packages you will need for it with the right versions in that environment. As long as you run your script with that virtual environment active everything will be available.- See the venv documenttion here
To create a virtual environment you run python3 -m venv <your_venv_path>
with path being where you want to store it, e.g. ~/.venvs/my_project/
To install packages you first have to make it active and then run pip
source <your_venv_path>/bin/activate
pip install png_util
To here you would have your virtual environment ready and your package installed. If you run your script with your virtual environment active the package will be available.
Now, because your script is a daemon this is how you make sure it runs within your virtual environment. Basically the virtual environment creates a copy of Python in and you just add to your script the instruction to use that "copy" of python. You do it by just adding #!<your_venv_path>/bin/python
as the first line of your script.
That way when your script runs it does run within that virtual environment where all the packages are installed.
PS: Potentially everything could work by simply running pip as sudo because it will install the package system wide making it available for all users. But that option is highly discouraged for the security risks it creates, see this post with security risks of running sudo pip
Hope this helps!!
Related Topics
Add Custom Method to String Object
Unicodeencodeerror: 'Charmap' Codec Can't Encode - Character Maps to <Undefined>, Print Function
Convert Base-2 Binary Number String to Int
Convert Pandas Column Containing Nans to Dtype 'Int'
How to Convert a String with Dot and Comma into a Float in Python
Create Pandas Dataframe from a String
Threading.Timer - Repeat Function Every 'N' Seconds
How to Enable Cors on Django Rest Framework
Create Own Colormap Using Matplotlib and Plot Color Scale
Set Bash Variable from Python Script
Find Out Who Is Logged in on Linux Using Python
Tutorial or Guide for Scripting Xcode Build Phases
Are Python Variables Pointers? or Else, What Are They
Element-Wise Addition of 2 Lists
Copying Nested Lists in Python
What's the Correct Way to Convert Bytes to a Hex String in Python 3