What Are the Risks of Running 'Sudo Pip'

What are the risks of running 'sudo pip'?

When you run pip with sudo, you run setup.py with sudo. In other words, you run arbitrary Python code from the Internet as root. If someone puts up a malicious project on PyPI and you install it, you give an attacker root access to your machine. Prior to some recent fixes to pip and PyPI, an attacker could also run a man in the middle attack to inject their code when you download a trustworthy project.

sudo pip: why, why not and alternatives

Unless you want or have to install a binary, service or dependency globally, you would not want to use sudo pip. As you surmise correctly, it installs your dependency globally, and this may cause inconsistencies while developing.

The more conventional thing to do nowadays is to use a virtualenv with which to install your dependencies. This way, anything you do with installation is local to that specific virtualenv instance of Python.

sudo pip install VS pip install --user

$ sudo pip install

Installs the package globally in your python installation, i.e. for all users.

$ pip install --user

Installs to the local user directory, i.e. ~/.local/lib/python -- just you.

Example:

$ sudo pip install jupyter
$ jupyter notebook

Will run jupyter, open a web browser, allow you to work with notebooks.

$ pip install --user jupyter
$ jupyter notebook

Will do nothing until your local directory has been added to your PATH.

There was recently malicious code included in pypi. Never use sudo to install with pip. This is the same as running a virus as root. Either add your local folder to your PATH or use a virtualenv.

What is the difference between pip install and sudo pip install?

pip install

Will run pip install as the current user

sudo pip install

Will run pip install with the security privileges of another user, root for example.

You normally need to use sudo to install a package on a system.

You may want to read linux-101-introduction-to-sudo

Getting Permission Denied when running pip as root on my Mac

Use a virtual environment:

$ virtualenv myenv
.. some output ..
$ source myenv/bin/activate
(myenv) $ pip install what-i-want

You only use sudo or elevated permissions when you want to install stuff for the global, system-wide Python installation.

It is best to use a virtual environment which isolates packages for you. That way you can play around without polluting the global python install.

As a bonus, virtualenv does not need elevated permissions.

What is most secure way to use `pip` to maintain Python packages?

You probably want to look at using a virtualenv. To quote the docs:

Virtualenv is a tool to create isolated Python environments. The basic problem
being addressed is one of dependencies and versions, and indirectly
permissions.

Virtualenv will create a folder with an isolated copy of python, an isolated pip and an isolated site-packages. You're thinking that this is the same as option 3 because you're taking that advice you linked at face value and not reading into it:

If you give yourself write privilege to the system site-packages,
you're risking that any program that runs under you (not necessarily
python program) can inject malicious code into the system
site-packages and obtain root privilege.

The problem is not with having access to site-packages (you have to have privilages for site-packages to be able to do anything). The problem is with having access to the system site-packages. A virtual environment's site-packages does not expose root privilages to malicious code the same as the one that your entire system is using.

However, I see nothing wrong with using sudo pip for well known and familiar packages. At the end of the day, it's like installing any other program, even non-python. If you go to its website and it looks honest and you trust it, there's no reason not to sudo.

moreover, pip is pretty safe - it uses https for pypi and if you --allow-external it will download packages from third-party, but will still keep checksums on pypi and compare them. For third-party with no checksum you need to explicitly call --allow-unverified which is the only option considered unsafe.

As a personal note, I can add that I use sudo pip most of the times, but as a WEB developer virtualenv is kind of a day-to-day thing, and I can recommend using it as well (especially if you see anything sketchy but you still want to try it out).

How can I see what packages were installed using `sudo pip install`?

any modules you installed with sudo will be owned by root, so you can open your shell/terminal, cd to site-packages directory & check the directories owner with ls -la, then any that has root in the owner column is the one you want to uninstall.

Install pip libraries for root user

I think you can get what you need with a virtual environment.

You need to create a virtual environment specifically for that script. You will install all the packages you will need for it with the right versions in that environment. As long as you run your script with that virtual environment active everything will be available.- See the venv documenttion here

To create a virtual environment you run python3 -m venv <your_venv_path> with path being where you want to store it, e.g. ~/.venvs/my_project/

To install packages you first have to make it active and then run pip

source <your_venv_path>/bin/activate
pip install png_util

To here you would have your virtual environment ready and your package installed. If you run your script with your virtual environment active the package will be available.

Now, because your script is a daemon this is how you make sure it runs within your virtual environment. Basically the virtual environment creates a copy of Python in and you just add to your script the instruction to use that "copy" of python. You do it by just adding #!<your_venv_path>/bin/python as the first line of your script.

That way when your script runs it does run within that virtual environment where all the packages are installed.

PS: Potentially everything could work by simply running pip as sudo because it will install the package system wide making it available for all users. But that option is highly discouraged for the security risks it creates, see this post with security risks of running sudo pip

Hope this helps!!


Related Topics

Add Custom Method to String Object

Unicodeencodeerror: 'Charmap' Codec Can't Encode - Character Maps to <Undefined>, Print Function

Convert Base-2 Binary Number String to Int

How to Access the Nested Data in This Complex JSON, Which Includes Another JSON Document as One of the Strings

Convert Pandas Column Containing Nans to Dtype 'Int'

How to Convert a String with Dot and Comma into a Float in Python

Create Pandas Dataframe from a String

Threading.Timer - Repeat Function Every 'N' Seconds

How to Enable Cors on Django Rest Framework

Create Own Colormap Using Matplotlib and Plot Color Scale

Set Bash Variable from Python Script

Find Out Who Is Logged in on Linux Using Python

Tutorial or Guide for Scripting Xcode Build Phases

Are Python Variables Pointers? or Else, What Are They

Element-Wise Addition of 2 Lists

Copying Nested Lists in Python

What's the Correct Way to Convert Bytes to a Hex String in Python 3

Regular Expression to Match a Dot


Leave a reply



Submit