问题描述
所以我在搜索一个事件,其中pip需要sudo特权,我遇到了以下两个线程运行"sudo pip"有什么风险?和是否可以接受&可以在sudo下运行pip install吗?
So I was googling an event where pip required sudo privileges,and I came across the following two threads What are the risks of running 'sudo pip'?and Is it acceptable & safe to run pip install under sudo?
第一个线程讨论了使用pip运行未知的.py文件的安全风险(很有意义),但是从第二个线程中,我几乎给人的印象是,存在一个全局和本地的python安装,您不应该混淆.我想这可以让您为所有用户进行全局安装,然后为每个用户添加到本地软件包的附加路径,但这是对的吗? (因为ubuntu(我正在使用)对某些python包具有依赖性,所以这也很有意义,因此拥有受root保护的全局python目录将保护这些包).但是,如果这是真的,我将找不到两个单独的目录.我尝试过
The first thread talks about the security risk of running an unknown .py file with pip (makes sense), but from the second one I almost got the impression that there exists a global and local python installation that you should not mix up. I guess it makes it sense that you can have a global installation for all users and then maybe an appended path to local packages for each user, but is this true? (it would also make sense since ubuntu (which I'm using) has dependencies on certain python packages, so having a global root protected python directory would protect these). However, if this is true, I can't find the two separate directories. I tried
import sys
print(sys.path)
带有sudo和没有sudo的
,我得到了完全相同的目录.
with both sudo and no sudo, and I got the exact same directories.
无论如何,我认为我将转为使用pip virtualenv,但是在那种情况下,我想知道,如果我意外忘记激活环境并在外部运行了一个奇怪的requirements.txt,会发生什么?那不会破坏我的标准用户目录吗,我正努力保持清洁(如果是这样,那可恢复吗?我只是在想,只忘记键入一个突击队,然后您的python安装就搞砸了)
In any case, I think I'll move to pip virtualenv, but in that case I was wondering, what would happen if I accidentaly forgot to activate the environment and ran an exotic requirements.txt outside? Wouldn't that corrupt my standard user directory I'm trying so hard to keep clean (if that is so, is that revertible? I'm just thinking, it's only forgetting to type one commando, and then your python installation is messed up.)
推荐答案
我确实建议始终将virtualenv用于特定于特定应用程序的需求.用作多个项目的开发人员的工具(例如ipdb)可以很好地在系统上全局安装.
I would indeed advice to always use virtualenv for requirements specific to a certain application. Tools you use as a developer for multiple projects (something like ipdb) are fine to install globally on the system.
请注意,所有pip软件包都是开源的,因此您可以确保著名的pip软件包可能没有恶意代码,但是当然可能包含安全漏洞.
Note that all pip packages are open source, so you have some assurance that famous pip packages are likely not to have malicious code, but could contain security leaks of course.
为防止在virtualenv外部意外安装pip软件包,可以将其添加到.bashrc:
To prevent accidentally installing a pip package outside a virtualenv, you can add this to your .bashrc:
export PIP_REQUIRE_VIRTUALENV=true
然后在virtualenv外部运行pip install something时,将显示错误消息:
When you then run pip install something outside a virtualenv, it will show an error message:
Could not find an activated virtualenv (required).
如果您仍然希望能够在virtualenv外部安装pip软件包,则可以在.bashrc中添加如下功能:
If you still want to be able to install pip packages outside a virtualenv, you can add a function in your .bashrc like this:
syspip() {
PIP_REQUIRE_VIRTUALENV="" sudo pip "$@"
}
然后,您可以运行syspip install something在系统上全局安装某些内容.
Then you can run syspip install something to install something globally on your system.
关于您正在运行的脚本:
As for the script you are running:
import sys
print(sys.path)
是否使用sudo都无关紧要,sudo只会更改执行命令所使用的用户权限,对于此脚本来说没关系.
It doesn't matter if you run that with sudo or not, sudo only changes the user privileges you are executing the command with, for this script it doesn't matter.
这篇关于全局和本地python安装,并意外在virtualenv外部运行需求文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!