运行“sudo pip"有什么风险? [英] What are the risks of running 'sudo pip'?
问题描述
有时我会遇到评论或回复,强调在下运行
是错误的"或坏的",但在某些情况下(包括我设置一堆工具的方式),它要么更简单,要么甚至有必要以这种方式运行.>pip
>sudo
在sudo
下运行pip
有什么风险?
请注意,这与这个问题不同,尽管标题如此,但并未提供有关风险的信息.这也不是关于如何避免使用 sudo
的问题,而是关于人们为什么想要这样做的具体原因.
当你使用 sudo
运行 pip
时,你会运行 setup.py
使用 sudo
.换句话说,您以 root 身份从 Internet 运行任意 Python 代码.如果有人在 PyPI 上放置了一个恶意项目并且你安装了它,你就给了攻击者对你的机器的 root 访问权限.在最近对 pip
和 PyPI 进行修复之前,攻击者还可以在您下载可信赖的项目时运行中间人攻击来注入他们的代码.
Occasionally I run into comments or responses that state emphatically that running pip
under sudo
is "wrong" or "bad", but there are cases (including the way I have a bunch of tools set up) where it is either much simpler, or even necessary to run it that way.
What are the risks associated with running pip
under sudo
?
Note that this in not the same question as this one, which, despite the title, provides no information about risks. This also isn't a question about how to avoid using sudo
, but about specifically why one would want to.
When you run pip
with sudo
, you run setup.py
with sudo
. In other words, you run arbitrary Python code from the Internet as root. If someone puts up a malicious project on PyPI and you install it, you give an attacker root access to your machine. Prior to some recent fixes to pip
and PyPI, an attacker could also run a man in the middle attack to inject their code when you download a trustworthy project.
这篇关于运行“sudo pip"有什么风险?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!