Login/Register
What are the risks of running 'sudo pip'?
Asked Answered
Solved pythonsecuritypipsudo
P

5

116

Occasionally I run into comments or responses that state emphatically that running pip under sudo is "wrong" or "bad", but there are cases (including the way I have a bunch of tools set up) where it is either much simpler, or even necessary to run it that way.

What are the risks associated with running pip under sudo?

Note that this is not the same question as Is it acceptable and safe to run pip install under sudo?, which, despite the title, provides no information about risks. This also isn't a question about how to avoid using sudo, but about specifically why one would want to.

Polarization answered 10/1, 2014 at 22:45 Comment(0)
R
119

When you run pip with sudo, you run setup.py with sudo. In other words, you run arbitrary Python code from the Internet as root. If someone puts up a malicious project on PyPI and you install it, you give an attacker root access to your machine. Prior to some recent fixes to pip and PyPI, an attacker could also run a man in the middle attack to inject their code when you download a trustworthy project.

Ruralize answered 10/1, 2014 at 22:56 Comment(13)
Does the threat apply only during pip or for any subsequent run of what it installed?Polarization
@raxacoricofallapatorius The installed code will only have root privileges when run as root, not always. But it's still code from the Internet, if it's malicious it might also do evil things at run time.Ruralize
But that will be true whether I sudo or not when I pip, right? Once it's installed, we're all at risk, no matter how it got there?Polarization
@raxacoricofallapatorius Yes.Ruralize
So the risk is at instal time (as you say in the answer, I'm just confirming) and if I could avoid that I'd be safe (or at least not exposed to su damage during install). Can I accomplish that by simply giving myself write permissions where (and as) pip needs them, and then running pip as me?Polarization
@raxacoricofallapatorius This is getting into territory I'm uncomfortable to answer, not because I don't have any idea (I have a hunch and can give reasons for it) but because it's notoriously hard to predict how seemingly small changes like these affect overall security. In addition, it's usually extremely simple to avoid not only sudo but also these permission issues by installing the packages somewhere else (e.g. in an virtualenv). Doing so may even be better and more reliable even when ignoring all security concerns.Ruralize
@raxacoricofallapatorius Depending on the exact write permissions and directory layout, I fear that more sophisticated malware would overwrite other, more trusted code, such as code used by system utilities routinely run as root.Ruralize
I think this might morph into a follow-on question (I think I pretty much have my answer to the question asked here), but why would giving myself write permission to site-packages and other directories used by pip installs be any different than putting things in a new folder with such permissions? It seems like that's as secure as I can expect to get, isn't it.Polarization
@raxacoricofallapatorius (…) but why would giving myself write permission to site-packages (…)sudo pip does not give you write permissions to specific directories like site-packages only but to all directories in the system.Puck
So does that mean that giving yourself write permission to site-packages is the recommended alternative? Elsewhere I see that a soluiton to install under another user. Is there one recommended best way to run pip without using sudo? That would be most pythonic.Duckbill
@Duckbill My latest memo says the recommended way is to set up a virtualenv. The virtualenv will have a site-packages directory that belongs to some ordinary user.Ruralize
This answer is bizarre. Of course, when you run something with sudo you give it root privileges; that's the whole point of sudo, and certainly not specific to pip.Passant
@Passant It's saying, what's different about pip is that it runs the setup.py of the packages you're installing. Now, other software sources are going to run their own code, like APT packages have post-installation scripts for example, but what's different about PyPI is that it's one big repo that anyone can upload to, which allows attacks like typo-squatting and dependency confusion.Cracy
P
27

Besides obvious security risks (which I think are in fact low when you install software you know) mentioned in other answers, there is another reason. Python that comes with the system is part of this system and when you want to manage the system you use tools designated for system maintenance like package managers in the case of installing/upgrading/uninstalling software. When you start to modify system software with third party tools (pip in this instance) then you have no guarantee about the state of your system. Yet another reason is that sudo can bring you problems you wouldn't have a chance or have a very small chance to have otherwise. See for example Mismatch between sys.executable and sys.version in Python

Distros are aware of this problem and try to mitigate it. For example Fedora – Making sudo pip safe and Debian – dist-packages instead of site-packages.

Puck answered 19/3, 2014 at 20:17 Comment(0)
D
7

Using pip that way means you trust it to the level you allow it to make anything to your system. Not only pip, but also any code it will download and execute from sources you may not trust and that can be malicious.

And pip doesn't need all that privileges, only the write access to specific files and directories. If you can't use your system's package manager and do not want to go the virtual environment way, you may create a specific user that has write privilege to the python installation directory and use it for pip. That way you better control what can pip do and not do. And you can use sudo -u for that!

Disinterest answered 10/1, 2014 at 23:4 Comment(6)
So all I need to do is, for example, allow myself write permissions to site-packages?Polarization
@raxacoricofallapatorius not just there, as some packages also install helper scripts (like pip itself, IPython, django, pygments, ...) so you'll also need access to whichever directory they install themselves in.Windowsill
Yes and no. I'm no security expert, but I think it is better if the user running the scripts do not have write permission. Therefore I suggest rather a separate user.Disinterest
@MattDMo: Yes, that makes sense; but those cases are probably easily discovered as things fail without the appropriate permissions. If done though, isn't that the safest way to go then the worst that can happen to my system as a whole is what can happen when I run anything anyway, right? The only difference is that I could potentially ruin my Python installation as me (rather than having to be su to do it), right?Polarization
How do I create such a user, for the sole purpose of using pip (no other changes to the system, like a new home directory, etc. need)? After that I assume I just change the owner of site-packages to that user, correct?Polarization
This depends on your system. Assuming linux, you could do groupadd python; useradd -M pipuser -g python -d /tmp; passwd -l pipuser then chgrp -R python site-packages; chmod -R g+w site-packages and finally sudo --user pipuser pip install .... I do not know about Mac.Disinterest
E
3

There are a few reasons that haven't been mentioned by other users but are still important.

Lack of code review amongst pip packages

The first reason is that PyPI packages (packages that you can install via pip) are not monitored or code-reviewed like you may be used to with other package managers. There have been many cases of malicious PyPI packages being published and then downloaded by thousands of users before being removed. If you happen to download one of these malicious packages as root then you are essentially giving the malware access to your entire system. Though this isn't an every day occurrence, it is still an attack vector to be aware of. You can learn more about this by reading about the concept of least privileges.

Running pip as root interferes with system-level packages

The second, and more important reason, is that running pip with sudo or as the root user will interfere with system-level packages and can disrupt the functionality of your system. Piotr Dobrogost's answer briefly mentions the effects that package managers can have on the state of your system, but I think a more in-depth explanation will help people better understand why this practice can be harmful.

Take for example a Linux distro that ships with Python 3.6 and the Python package cryptography to perform cryptographic operations. For illustrative purposes, imagine that the cryptography package version 1.0.0 is used by the system to hash passwords and allows users to log in. If version 1.0.1 of the same package introduces a regression that the system doesn't account for and you upgrade the global cryptography package by running sudo pip3 install -U cryptography, you accidentally just broke the ability for users to log in system-wide by introducing a regression on system dependencies.

This is a contrived example and would actually be easier to track down than most, but it is certainly a possible scenario. In the real world you would most likely break something less important, but the lesson is the same. In some scenarios this example would be easier to undo because you would know exactly what you broke when everything instantly stopped working, but you could end up breaking something that is much harder to track down and you might not find out until much later when you have no recollection of what you changed.

Why would you want to run pip with sudo?

I haven't seen anyone address the final question in your post, so I'll address it here. There are a few reasons why someone would want to run pip with sudo, but they are far more rare.

The first reason that people would want to do it this way is because people are lazy and it's a fast way to force the system to install the package you need. Say that someone needs to install the coloredlogs package because they absolutely have to have their logs be colored right now and they don't know anything about having a secure system. It's often much easier for inexperienced users to add sudo to the beginning of everything when it doesn't work because "it just works" rather than learning why it didn't work the first time.

The second reason, and only legitimate reason that I can think of, is if an admin needs to patch something system-wide. Say that a vulnerability is introduced in pip version 20.0.0 and there is a hotfix that fixes the issue in version 20.0.1. The system administrator probably doesn't want to wait for the distro to patch this for them and instead wants to patch it right now to mitigate the issue. In this scenario I think it would be safe for the system administrator to use python3 -m pip install --upgrade pip to update their version of pip, but they would need to be cautious to ensure there are no unintended consequences.

Exhort answered 25/2, 2022 at 0:30 Comment(0)
D
2

The only thing "wrong" with sudo is that it, well, DOes as Super User ala root meaning you can potentially destroy an installation with the wrong command. As PIP is a package maintenance for a particular program you would need such access anyhow to make changes...

Dutra answered 10/1, 2014 at 22:49 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.