![]() If you see people recommending sudo pip or sudo -H pip, please tell them not to. Instead, consider using pip install -user (note that pip install with no sudo nor additional flags/options defaults to pip install -user on Ubuntu currently) or virtual environments (such as virtualenv). In short, in accordance with the principle of least privilege, don't use sudo with pip to install Python packages from PyPI unless you absolutely need to. Middle attack to inject their code when you download a trustworthyĪs mentioned at, it is important to note that anyone can upload Python packages, including malicious ones, to PyPI. Prior to some recentįixes to pip and PyPI, an attacker could also run a man in the If someone puts up a malicious project on PyPI and you install it, you give an attacker root access to your machine. Other words, you run arbitrary Python code from the Internet as root. When you run pip with sudo, you run setup.py with sudo. ![]() Both sudo pip install and its other common variant sudo -H pip install should not be encouraged because it is a security risk to use root privileges to use pip to install Python packages from PyPI (Python Package Index).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |