Skip to content

pip should drop rights when it builds wheels. Also it may make sense to sandbox the building process from i.e. introducing malware into .bashrc with the tools like firejail, if they are available in the system. #11034

New issue
New issue
Open
Open
pip should drop rights when it builds wheels. Also it may make sense to sandbox the building process from i.e. introducing malware into .bashrc with the tools like firejail, if they are available in the system.#11034
Labels
S: needs triageIssues/PRs that need to be triagedtype: feature requestRequest for a new feature
@KOLANICH

Description

@KOLANICH
KOLANICH
opened on Apr 13, 2022

What's the problem this feature will solve?

Building a wheel results in execution of a lot of potentially vulnerable or untrustworthy code:

  1. setup.py
  2. build system
  3. setuptools plugins, which can have large dependencies trees
  4. variables imported from modules using attr: in setup.cfg and tool.setuptools.dynamic section (it is planned to be fixed somewhen in sallow only statically parsed stuff by default).
  5. console tools called by setuptools plugins.

There is usually no reason to call all these from a privileged user. But some packages are still available on pypi as sdists only, so users installing them with sudo pip result in them being fetched and built from root. I personally have disabled fetching anything from pypi, BTW.

The most severe issue for me is editable install. It is extremily inconvenient to rebuild wheels and reinstall them after every minorest change when developing python code that must be run from root. I know it introduces local privilege escalation, but TBH if one runs untrustworthy code on own machine, he is already deeply in danger.

The issue got more severe today because of pypa/setuptools-scm#707 . setuptools_scm is a tool to get version from git tags, it calls git for that. But pip runs wheel building from root, while the source dir is usually owned by the user initiating the build. The recent fix in git to eliminate such vulnerabilities checks that the user running git is the same as the user owning the repo. Of course fakeroot is the workaround, but I think a more correct solution is needed.

Describe the solution you'd like

  1. pip should detect the user that has started it via sudo
  2. pip should build a wheel from that user and only install from root
  3. pip should detect if there are any sandboxing solutions present in the system, and should use it to allow wheel building process to write only to the source dir and to the build dir.

Alternative Solutions

No.

Additional context

Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    S: needs triageIssues/PRs that need to be triagedtype: feature requestRequest for a new feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions