What are the risks of running 'sudo pip'?
Solution 1
When you run pip
with sudo
, you run setup.py
with sudo
. In other words, you run arbitrary Python code from the Internet as root. If someone puts up a malicious project on PyPI and you install it, you give an attacker root access to your machine. Prior to some recent fixes to pip
and PyPI, an attacker could also run a man in the middle attack to inject their code when you download a trustworthy project.
Solution 2
Besides obvious security risks (which I think are in fact low when you install software you know) mentioned in other answers, there is another reason. Python that comes with the system is part of this system and when you want to manage the system you use tools designated for system maintenance like package managers in the case of installing/upgrading/uninstalling software. When you start to modify system software with third party tools (pip
in this instance) then you have no guarantee about the state of your system. Yet another reason is that sudo
can bring you problems you wouldn't have a chance or have a very small chance to have otherwise. See for example Mismatch between sys.executable and sys.version in Python
Distros are aware of this problem and try to mitigate it. For example Fedora – Making sudo pip safe and Debian – dist-packages instead of site-packages.
Solution 3
Using pip that way means you trust it to the level you allow it to make anything to your system. Not only pip, but also any code it will download and execute from sources you may not trust and that can be malicious.
And pip doesn't need all that privileges, only the write access to specific files and directories. If you can't use your system's package manager and do not want to go the virtual environment way, you may create a specific user that has write privilege to the python installation directory and use it for pip. That way you better control what can pip do and not do. And you can use sudo -u
for that!
Solution 4
The only thing "wrong" with sudo
is that it, well, DOes as Super User ala root meaning you can potentially destroy an installation with the wrong command. As PIP is a package maintenance for a particular program you would need such access anyhow to make changes...
Solution 5
There are a few reasons that haven't been mentioned by other users but are still important.
Lack of code review amongst pip
packages
The first reason is that PyPI packages (packages that you can install via pip
) are not monitored or code-reviewed like you may be used to with other package managers. There have been many cases of malicious PyPI packages being published and then downloaded by thousands of users before being removed. If you happen to download one of these malicious packages as root then you are essentially giving the malware access to your entire system. Though this isn't an every day occurrence, it is still an attack vector to be aware of. You can learn more about this by reading about the concept of least privileges.
Running pip
as root interferes with system-level packages
The second, and more important reason, is that running pip
with sudo
or as the root user will interfere with system-level packages and can disrupt the functionality of your system. Piotr Dobrogost's answer briefly mentions the effects that package managers can have on the state of your system, but I think a more in-depth explanation will help people better understand why this practice can be harmful.
Take for example a Linux distro that ships with Python 3.6 and the Python package cryptography
to perform cryptographic operations. For illustrative purposes, imagine that the cryptography
package version 1.0.0 is used by the system to hash passwords and allows users to log in. If version 1.0.1 of the same package introduces a regression that the system doesn't account for and you upgrade the global cryptography
package by running sudo pip3 install -U cryptography
, you accidentally just broke the ability for users to log in system-wide by introducing a regression on system dependencies.
This is a contrived example and would actually be easier to track down than most, but it is certainly a possible scenario. In the real world you would most likely break something less important, but the lesson is the same. In some scenarios this example would be easier to undo because you would know exactly what you broke when everything instantly stopped working, but you could end up breaking something that is much harder to track down and you might not find out until much later when you have no recollection of what you changed.
Why would you want to run pip
with sudo
?
I haven't seen anyone address the final question in your post, so I'll address it here. There are a few reasons why someone would want to run pip
with sudo
, but they are far more rare.
The first reason that people would want to do it this way is because people are lazy and it's a fast way to force the system to install the package you need. Say that someone needs to install the coloredlogs
package because they absolutely have to have their logs be colored right now and they don't know anything about having a secure system. It's often much easier for inexperienced users to add sudo
to the beginning of everything when it doesn't work because "it just works" rather than learning why it didn't work the first time.
The second reason, and only legitimate reason that I can think of, is if an admin needs to patch something system-wide. Say that a vulnerability is introduced in pip
version 20.0.0 and there is a hotfix that fixes the issue in version 20.0.1
. The system administrator probably doesn't want to wait for the distro to patch this for them and instead wants to patch it right now to mitigate the issue. In this scenario I think it would be safe for the system administrator to use python3 -m pip install --upgrade pip
to update their version of pip
, but they would need to be cautious to ensure there are no unintended consequences.
Related videos on Youtube
orome
"I mingle the probable with the necessary and draw a plausible conclusion from the mixture."
Updated on February 25, 2022Comments
-
orome about 2 years
Occasionally I run into comments or responses that state emphatically that running
pip
undersudo
is "wrong" or "bad", but there are cases (including the way I have a bunch of tools set up) where it is either much simpler, or even necessary to run it that way.What are the risks associated with running
pip
undersudo
?
Note that this is not the same question as this one, which, despite the title, provides no information about risks. This also isn't a question about how to avoid using
sudo
, but about specifically why one would want to.-
Milan over 2 yearsDoes this answer your question? Is it acceptable and safe to run pip install under sudo?
-
-
orome over 10 yearsSo all I need to do is, for example, allow myself write permissions to
site-packages
? -
MattDMo over 10 years@raxacoricofallapatorius not just there, as some packages also install helper scripts (like
pip
itself, IPython, django, pygments, ...) so you'll also need access to whichever directory they install themselves in. -
Cilyan over 10 yearsYes and no. I'm no security expert, but I think it is better if the user running the scripts do not have write permission. Therefore I suggest rather a separate user.
-
orome over 10 years@MattDMo: Yes, that makes sense; but those cases are probably easily discovered as things fail without the appropriate permissions. If done though, isn't that the safest way to go then the worst that can happen to my system as a whole is what can happen when I run anything anyway, right? The only difference is that I could potentially ruin my Python installation as me (rather than having to be su to do it), right?
-
orome over 10 yearsDoes the threat apply only during
pip
or for any subsequent run of what it installed? -
Admin over 10 years@raxacoricofallapatorius The installed code will only have root privileges when run as root, not always. But it's still code from the Internet, if it's malicious it might also do evil things at run time.
-
orome over 10 yearsBut that will be true whether I
sudo
or not when Ipip
, right? Once it's installed, we're all at risk, no matter how it got there? -
Admin over 10 years@raxacoricofallapatorius Yes.
-
orome over 10 yearsSo the risk is at instal time (as you say in the answer, I'm just confirming) and if I could avoid that I'd be safe (or at least not exposed to su damage during install). Can I accomplish that by simply giving myself write permissions where (and as)
pip
needs them, and then runningpip
as me? -
Admin over 10 years@raxacoricofallapatorius This is getting into territory I'm uncomfortable to answer, not because I don't have any idea (I have a hunch and can give reasons for it) but because it's notoriously hard to predict how seemingly small changes like these affect overall security. In addition, it's usually extremely simple to avoid not only
sudo
but also these permission issues by installing the packages somewhere else (e.g. in an virtualenv). Doing so may even be better and more reliable even when ignoring all security concerns. -
Admin over 10 years@raxacoricofallapatorius Depending on the exact write permissions and directory layout, I fear that more sophisticated malware would overwrite other, more trusted code, such as code used by system utilities routinely run as root.
-
orome over 10 yearsI think this might morph into a follow-on question (I think I pretty much have my answer to the question asked here), but why would giving myself write permission to
site-packages
and other directories used bypip
installs be any different than putting things in a new folder with such permissions? It seems like that's as secure as I can expect to get, isn't it. -
orome over 10 yearsHow do I create such a user, for the sole purpose of using
pip
(no other changes to the system, like a new home directory, etc. need)? After that I assume I just change the owner ofsite-packages
to that user, correct? -
Cilyan over 10 yearsThis depends on your system. Assuming linux, you could do
groupadd python; useradd -M pipuser -g python -d /tmp; passwd -l pipuser
thenchgrp -R python site-packages; chmod -R g+w site-packages
and finallysudo --user pipuser pip install ...
. I do not know about Mac. -
Piotr Dobrogost about 10 years@raxacoricofallapatorius (…) but why would giving myself write permission to site-packages (…) –
sudo pip
does not give you write permissions to specific directories like site-packages only but to all directories in the system. -
notconfusing about 10 yearsSo does that mean that giving yourself write permission to
site-packages
is the recommended alternative? Elsewhere I see that a soluiton to install under another user. Is there one recommended best way to run pip without usingsudo
? That would be most pythonic. -
Admin about 10 years@notconfusing My latest memo says the recommended way is to set up a virtualenv. The virtualenv will have a
site-packages
directory that belongs to some ordinary user. -
Admin over 6 yearsThis answer is bizarre. Of course, when you run something with
sudo
you give it root privileges; that's the whole point ofsudo
, and certainly not specific topip
.