[Catalog-sig] Use user-specific site-packages by default?

Lennart Regebro regebro at gmail.com
Tue Feb 5 09:02:50 CET 2013


On Tue, Feb 5, 2013 at 8:42 AM, M.-A. Lemburg <mal at egenix.com> wrote:
> On 05.02.2013 02:36, Nick Coghlan wrote:
>> Something that caught my attention in the recent security discussions
>> is the observation that one of the most common insecure practices in
>> the Python community is to run "sudo pip" with unsigned packages
>> (sometimes on untrusted networks).
>>
>> To my mind, this is a natural reaction to the user experience of pip:
>> you run "pip install package", it complains it can't write to the
>> system site packages directory, so you run "sudo pip install package"
>> to give it the permissions it clearly wants.
>>
>> If pip used the user site packages by default (when running as anyone
>> other than root), that dangerous UI flow wouldn't happen. Even when
>> pip was run outside a virtualenv, it would "just work" from the users
>> perspective. It also has the advantage of keeping systems cleaner by
>> default, since there will be a clear separation between system
>> packages and pip-installed packages.
>>
>> Thoughts?
>
> -1. You'd be hiding a real problem by not telling the user that
> there's a permission problem to think about.

One problem is that the user is trying to install some random package
to the system python. This is only likely to happen on a personal
machine (I do hope sysadmins have more sense than that) and installing
it to user site packages will then still make it available for all
python software that uses the system python that runs under that user.
And that's probably quite a lot. Hence security issues remain, in that
this package can get picked up by other python software running, and
on Linux systems, that's quite a lot. :-)

But, it's still a lot better than running it as sudo, in which case
the setup.py file could simply decide to install a rootkit.

That said, I think it would be better to explain to the user what
happens. I could imagine that if you try to install where you don't
have the right, it asks if you meant to install it to the user site
packages or to a virtualenv, for example?

//Lennart


More information about the Catalog-SIG mailing list