Global and local python installations, and accidentally running a requirements file outside of virtualenv

Question

So I was googling an event where pip required sudo privileges,and I came across the following two threads What are the risks of running 'sudo pip'? and Is it acceptable & safe to run pip install under sudo?

The first thread talks about the security risk of running an unknown .py file with pip (makes sense), but from the second one I almost got the impression that there exists a global and local python installation that you should not mix up. I guess it makes it sense that you can have a global installation for all users and then maybe an appended path to local packages for each user, but is this true? (it would also make sense since ubuntu (which I'm using) has dependencies on certain python packages, so having a global root protected python directory would protect these). However, if this is true, I can't find the two separate directories. I tried

import sys 
print(sys.path)

with both sudo and no sudo, and I got the exact same directories.

In any case, I think I'll move to pip virtualenv, but in that case I was wondering, what would happen if I accidentaly forgot to activate the environment and ran an exotic requirements.txt outside? Wouldn't that corrupt my standard user directory I'm trying so hard to keep clean (if that is so, is that revertible? I'm just thinking, it's only forgetting to type one commando, and then your python installation is messed up.)

Answer 1

I would indeed advice to always use virtualenv for requirements specific to a certain application. Tools you use as a developer for multiple projects (something like ipdb ) are fine to install globally on the system.

Note that all pip packages are open source, so you have some assurance that famous pip packages are likely not to have malicious code, but could contain security leaks of course.

To prevent accidentally installing a pip package outside a virtualenv, you can add this to your .bashrc :

export PIP_REQUIRE_VIRTUALENV=true

When you then run pip install something outside a virtualenv, it will show an error message:

Could not find an activated virtualenv (required).

If you still want to be able to install pip packages outside a virtualenv, you can add a function in your .bashrc like this:

syspip() {
    PIP_REQUIRE_VIRTUALENV="" sudo pip "$@"
}

Then you can run syspip install something to install something globally on your system.

As for the script you are running:

import sys 
print(sys.path)

It doesn't matter if you run that with sudo or not, sudo only changes the user privileges you are executing the command with, for this script it doesn't matter.

Answer 2

Running sudo pip install <package> will install the package to the system wide set of packages, typically stored somewhere like /usr/lib/python2.7/site-packages .

Running pip install package without a virtualenv activated will attempt to install the package to the same place, but because (if your system is configured sanely/correctly) you won't have write access to that folder, the install command will fail.

It's generally better to use distribution packages if you can for global installs if you absolutely have to install globally, as then you get the benefit of automatic updates. As you've worked out however, it's far better to not install packages globally at all, and use virtualenvs