运行"sudo pip"有什么风险? [英] What are the risks of running 'sudo pip'?

问题描述

有时，我会遇到评论或响应，其中强调指出在sudo下运行pip是错误的"或不好"，但是在某些情况下(包括我设置了一堆工具的方式)，它要么简单得多，要么甚至有必要以这种方式运行.

Occasionally I run into comments or responses that state emphatically that running pip under sudo is "wrong" or "bad", but there are cases (including the way I have a bunch of tools set up) where it is either much simpler, or even necessary to run it that way.

在sudo下运行pip有什么风险?

请注意，这与此问题不同，尽管有标题，但该问题未提供有关风险的信息.这也不是关于如何避免使用sudo的问题，而是关于为什么要使用sudo的问题.

Note that this in not the same question as this one, which, despite the title, provides no information about risks. This also isn't a question about how to avoid using sudo, but about specifically why one would want to.

推荐答案

使用sudo运行pip时，使用sudo运行setup.py.换句话说，您可以从互联网上以root用户身份运行任意Python代码.如果有人在PyPI上放置了一个恶意项目，然后安装了该项目，则可以为攻击者提供对计算机的根访问权限.在最近对pip和PyPI进行一些修复之前，攻击者还可以在中级攻击中运行一个男人，以便在您下载可信赖的项目时注入其代码.

When you run pip with sudo, you run setup.py with sudo. In other words, you run arbitrary Python code from the Internet as root. If someone puts up a malicious project on PyPI and you install it, you give an attacker root access to your machine. Prior to some recent fixes to pip and PyPI, an attacker could also run a man in the middle attack to inject their code when you download a trustworthy project.

这篇关于运行"sudo pip"有什么风险?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！