1
1
I understand that there are security risks involved in installing pip under sudo, but for various reasons I would like to continue installing my packages in site-packages (on OSX 10.9), which currently requires sudo for pip to work.
Would simply giving myself permission to write to site-packages avoid these issues? Are there new security risks associated with doing so? Or perhaps the alternative is to create a new user who owns site-packages, specifically for use with pip?
Note that this is not a question about using virtualenv to avoid this problem.
orome
Posted 2014-01-11T03:27:58.883
Reputation: 205
So if I create a user for
pipand give him access tosite-packagesthe only risks I run are (1) that the execution ofsetup.pyitself will do something malicious insite-packages(and nowhere else) and (2) that something malicious that ends up insite-packageswill do damage anywhere that any code I run can, correct? Isn't (2) inescapable anyway, for any Python installation? – orome – 2014-01-11T14:23:58.2931@raxacoricofallapatorius: it is inescapable, yes, but the impact is different with system site-packages which is regularly run with escalated privileges and virtualenv-ed site-packages which normally runs under your account. – Lie Ryan – 2014-01-11T18:15:47.193
But does wouldn't virtualenv then pose the same risks as my taking ownership of the systems
site-packages? – orome – 2014-01-11T19:25:35.783@raxacoricofallapatorius: if you run a software with root privilege, you have to make sure that the software and any libraries that it uses cannot be modified by anyone other than root. This includes if you're running a python program that requires root privilege inside a virtualenv. – Lie Ryan – 2014-01-11T19:40:12.530