[Python-Dev] 3.5 release schedule PEP

Steve Dower Steve.Dower at microsoft.com
Thu Sep 25 18:05:36 CEST 2014 

Chris Angelico wrote:
> On Thu, Sep 25, 2014 at 6:50 AM, Steve Dower <Steve.Dower at microsoft.com> wrote:
>> Donald Stufft wrote:
>>> One thing about *nix is even though you can’t write to your normal
>>> Python install location without root, invoking pip with permissions
>>> (assuming you have
>>> them) is as easy as prefacing it with ``sudo`` in most cases. Does
>>> Windows have an equivalent or do you need to launch a whole new shell?
>>
>> Unfortunately not. The "easy way" is for the executable to declare that it
> needs administrative privileges, and then the OS will take over and let you
> approve/reject/sign-in/etc. according to your settings.
> 
> When you say the executable declares this, is that a static (compile/link time)
> declaration, or a run-time one? That is, could pip defer the declaration until
> it's parsed its command line args and decided that it'll be installing into the
> system directory, but NOT make that declaration if it's given --user, or if it's
> running inside a venv, or anything else that means it doesn't need that power?
> If so, that could actually be a very powerful feature: a user without admin
> privs (or choosing not to exercise them) is still able to install into a venv,
> but if s/he forgets to activate the venv, the "hey, I want to modify system
> files" prompt will be the alarm that says the situation is not what was
> expected. That's what happens on my Linux system - I get errors back if I don't
> use sudo, but in a venv, everything works without being root.

It's a compile time option (it's specified in the manifest you can embed into an executable) but it is possible to explicitly launch a separate process with the flag. Most programs that look like they can elevate on-demand are really launching a background process to do the work - you can't change the user for a process once it's started in Windows.

This process can obviously be the same one you started with (maybe with different command line args), and the main observable difference is that you get fewer access denied errors.

So yes, pip can certainly do this, and if it's already running elevated then it shouldn't reprompt, but it's not entirely trivial to get this right ("are you denied write access to that directory because you're not admin or because it's on read-only media?") and it's considerably easier to try it, fail on access issues, but provide a flag for the user to force elevation. "pip --sudo install ..." would be fine by me :)

Cheers,
Steve
 
> ChrisA
>

More information about the Python-Dev mailing list