115

Occasionally I run into comments or responses that state emphatically that running pip under sudo is "wrong" or "bad", but there are cases (including the way I have a bunch of tools set up) where it is either much simpler, or even necessary to run it that way.

What are the risks associated with running pip under sudo?

Note that this is not the same question as Is it acceptable and safe to run pip install under sudo?, which, despite the title, provides no information about risks. This also isn't a question about how to avoid using sudo, but about specifically why one would want to.

Improve this question
0

5 Answers 5

Reset to default
118

When you run pip with sudo, you run setup.py with sudo. In other words, you run arbitrary Python code from the Internet as root. If someone puts up a malicious project on PyPI and you install it, you give an attacker root access to your machine. Prior to some recent fixes to pip and PyPI, an attacker could also run a man in the middle attack to inject their code when you download a trustworthy project.

Improve this answer
13
  • 3
    Does the threat apply only during pip or for any subsequent run of what it installed?
    – orome
    Commented Jan 10, 2014 at 23:22
  • 4
    But that will be true whether I sudo or not when I pip, right? Once it's installed, we're all at risk, no matter how it got there?
    – orome
    Commented Jan 10, 2014 at 23:26
  • 2
    @raxacoricofallapatorius This is getting into territory I'm uncomfortable to answer, not because I don't have any idea (I have a hunch and can give reasons for it) but because it's notoriously hard to predict how seemingly small changes like these affect overall security. In addition, it's usually extremely simple to avoid not only sudo but also these permission issues by installing the packages somewhere else (e.g. in an virtualenv). Doing so may even be better and more reliable even when ignoring all security concerns.
    – user395760
    Commented Jan 10, 2014 at 23:48
  • 2
    @raxacoricofallapatorius Depending on the exact write permissions and directory layout, I fear that more sophisticated malware would overwrite other, more trusted code, such as code used by system utilities routinely run as root.
    – user395760
    Commented Jan 11, 2014 at 0:00
  • 5
    This answer is bizarre. Of course, when you run something with sudo you give it root privileges; that's the whole point of sudo, and certainly not specific to pip.
    – user4953825
    Commented Nov 26, 2017 at 4:33
27

Besides obvious security risks (which I think are in fact low when you install software you know) mentioned in other answers, there is another reason. Python that comes with the system is part of this system and when you want to manage the system you use tools designated for system maintenance like package managers in the case of installing/upgrading/uninstalling software. When you start to modify system software with third party tools (pip in this instance) then you have no guarantee about the state of your system. Yet another reason is that sudo can bring you problems you wouldn't have a chance or have a very small chance to have otherwise. See for example Mismatch between sys.executable and sys.version in Python

Distros are aware of this problem and try to mitigate it. For example Fedora – Making sudo pip safe and Debian – dist-packages instead of site-packages.

Improve this answer
0
7

Using pip that way means you trust it to the level you allow it to make anything to your system. Not only pip, but also any code it will download and execute from sources you may not trust and that can be malicious.

And pip doesn't need all that privileges, only the write access to specific files and directories. If you can't use your system's package manager and do not want to go the virtual environment way, you may create a specific user that has write privilege to the python installation directory and use it for pip. That way you better control what can pip do and not do. And you can use sudo -u for that!

Improve this answer
6
  • So all I need to do is, for example, allow myself write permissions to site-packages?
    – orome
    Commented Jan 10, 2014 at 23:07
  • 1
    @raxacoricofallapatorius not just there, as some packages also install helper scripts (like pip itself, IPython, django, pygments, ...) so you'll also need access to whichever directory they install themselves in.
    – MattDMo
    Commented Jan 10, 2014 at 23:11
  • Yes and no. I'm no security expert, but I think it is better if the user running the scripts do not have write permission. Therefore I suggest rather a separate user.
    – Cilyan
    Commented Jan 10, 2014 at 23:12
  • @MattDMo: Yes, that makes sense; but those cases are probably easily discovered as things fail without the appropriate permissions. If done though, isn't that the safest way to go then the worst that can happen to my system as a whole is what can happen when I run anything anyway, right? The only difference is that I could potentially ruin my Python installation as me (rather than having to be su to do it), right?
    – orome
    Commented Jan 10, 2014 at 23:20
  • How do I create such a user, for the sole purpose of using pip (no other changes to the system, like a new home directory, etc. need)? After that I assume I just change the owner of site-packages to that user, correct?
    – orome
    Commented Jan 11, 2014 at 3:58
3

There are a few reasons that haven't been mentioned by other users but are still important.

Lack of code review amongst pip packages

The first reason is that PyPI packages (packages that you can install via pip) are not monitored or code-reviewed like you may be used to with other package managers. There have been many cases of malicious PyPI packages being published and then downloaded by thousands of users before being removed. If you happen to download one of these malicious packages as root then you are essentially giving the malware access to your entire system. Though this isn't an every day occurrence, it is still an attack vector to be aware of. You can learn more about this by reading about the concept of least privileges.

Running pip as root interferes with system-level packages

The second, and more important reason, is that running pip with sudo or as the root user will interfere with system-level packages and can disrupt the functionality of your system. Piotr Dobrogost's answer briefly mentions the effects that package managers can have on the state of your system, but I think a more in-depth explanation will help people better understand why this practice can be harmful.

Take for example a Linux distro that ships with Python 3.6 and the Python package cryptography to perform cryptographic operations. For illustrative purposes, imagine that the cryptography package version 1.0.0 is used by the system to hash passwords and allows users to log in. If version 1.0.1 of the same package introduces a regression that the system doesn't account for and you upgrade the global cryptography package by running sudo pip3 install -U cryptography, you accidentally just broke the ability for users to log in system-wide by introducing a regression on system dependencies.

This is a contrived example and would actually be easier to track down than most, but it is certainly a possible scenario. In the real world you would most likely break something less important, but the lesson is the same. In some scenarios this example would be easier to undo because you would know exactly what you broke when everything instantly stopped working, but you could end up breaking something that is much harder to track down and you might not find out until much later when you have no recollection of what you changed.

Why would you want to run pip with sudo?

I haven't seen anyone address the final question in your post, so I'll address it here. There are a few reasons why someone would want to run pip with sudo, but they are far more rare.

The first reason that people would want to do it this way is because people are lazy and it's a fast way to force the system to install the package you need. Say that someone needs to install the coloredlogs package because they absolutely have to have their logs be colored right now and they don't know anything about having a secure system. It's often much easier for inexperienced users to add sudo to the beginning of everything when it doesn't work because "it just works" rather than learning why it didn't work the first time.

The second reason, and only legitimate reason that I can think of, is if an admin needs to patch something system-wide. Say that a vulnerability is introduced in pip version 20.0.0 and there is a hotfix that fixes the issue in version 20.0.1. The system administrator probably doesn't want to wait for the distro to patch this for them and instead wants to patch it right now to mitigate the issue. In this scenario I think it would be safe for the system administrator to use python3 -m pip install --upgrade pip to update their version of pip, but they would need to be cautious to ensure there are no unintended consequences.

Improve this answer
2

The only thing "wrong" with sudo is that it, well, DOes as Super User ala root meaning you can potentially destroy an installation with the wrong command. As PIP is a package maintenance for a particular program you would need such access anyhow to make changes...

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.