New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pip usable only by administrators on Windows and SELinux #65229
Comments
After installing python-3.4.0.amd64.msi on Windows 8.1 x64, the "pip" command (and the versioned ones as well) only work for administrators. Regular users get this: Traceback (most recent call last):
File "C:\Program Files\Python34\lib\runpy.py", line 171, in _run_module_as_main
"__main__", mod_spec)
File "C:\Program Files\Python34\lib\runpy.py", line 86, in _run_code
exec(code, run_globals)
File "C:\Program Files\Python34\Scripts\pip.exe\__main__.py", line 5, in <module>
ImportError: cannot import name 'main' The immediate reason is that the files in the site-packages/pip directory are created with no access permissions for non-administrators: C:\Program Files\Python34\Lib\site-packages\pip>icacls __main__.py Why that is, I have no idea. It can be fixed by running: icacls path\to\site-packages\pip /inheritance:e /t The /reset may be unnecessary. |
According to procmon, ensurepip first installs the bundled packages in $TEMP, then moves the resulting files to the Python installation directory. According to http://support.microsoft.com/kb/310316, a file that is moved within the same volume keeps its original ACL and does not inherit permissions from its new parent directory. I can think of two ways to fix this:
Of the two, #1 is probably more reliable. |
I agree with the analysis. Notice that this may sound worse than it is: even if a regular user could run pip, they still couldn't install anything. As users will have to get an elevated prompt, anyway, when running pip, they typically won't notice the problem. In any case, I also think that the problem is within ensurepip. |
Unprivileged users cannot install into the global site-packages, but they might want to use the global pip to install with --user. Also, this issue affects not only pip, but also the other bundled packages, i.e. setuptools and pkg_resources. |
The current approach is also likely to cause problems under SELinux. |
Solution 1 will also handle the SELinux case (copy and then delete original). |
If this needs to be done by fixing the ACLs afterwards, then I suggest to add a C custom action, based on the code in |
Actually, this appears to be fixed in pip 1.5.6 (and 1.5.5, commit 79408cbc6fa5d61b74b046105aee61f12311adc9, AFAICT), which is included in 3.4.1; I cannot reproduce the problem in 3.4.1. That makes this bug obsolete. |
I believe in pip 1.5.6 we switched from shutil.move to shutil.copytree which I believe will reset the permissions/SELinux context? |
Christian: thanks for the update. It's actually that the bug is fixed, not obsolete :-) |
A little additional explanation of why the switch to copytree would have I assume Windows NTFS ACLs are similar, being set based on the parent Moral of the story? These days, if you're relocating files to a different |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: