pip usable only by administrators on Windows and SELinux

[chrullrich]

BPO	21030
Nosy	@loewis, @ncoghlan, @zware, @dstufft, @chrullrich

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2014-06-23.17:43:56.268>
created_at = <Date 2014-03-23.00:25:44.351>
labels = ['type-bug', 'expert-installation', 'OS-windows']
title = 'pip usable only by administrators on Windows and SELinux'
updated_at = <Date 2014-06-23.23:30:10.186>
user = 'https://github.com/chrullrich'

bugs.python.org fields:

activity = <Date 2014-06-23.23:30:10.186>
actor = 'ncoghlan'
assignee = 'none'
closed = True
closed_date = <Date 2014-06-23.17:43:56.268>
closer = 'loewis'
components = ['Installation', 'Windows']
creation = <Date 2014-03-23.00:25:44.351>
creator = 'chrullrich'
dependencies = []
files = []
hgrepos = []
issue_num = 21030
keywords = []
message_count = 11.0
messages = ['214527', '214548', '214551', '214552', '214567', '214568', '221312', '221354', '221365', '221370', '221384']
nosy_count = 5.0
nosy_names = ['loewis', 'ncoghlan', 'zach.ware', 'dstufft', 'chrullrich']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = None
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue21030'
versions = ['Python 3.4']

[chrullrich]

After installing python-3.4.0.amd64.msi on Windows 8.1 x64, the "pip" command (and the versioned ones as well) only work for administrators. Regular users get this:

Traceback (most recent call last):
  File "C:\Program Files\Python34\lib\runpy.py", line 171, in _run_module_as_main
    "__main__", mod_spec)
  File "C:\Program Files\Python34\lib\runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "C:\Program Files\Python34\Scripts\pip.exe\__main__.py", line 5, in <module>
ImportError: cannot import name 'main'

The immediate reason is that the files in the site-packages/pip directory are created with no access permissions for non-administrators:

C:\Program Files\Python34\Lib\site-packages\pip>icacls __main__.py
__main__.py NT-AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
abc\Admin:(F)

Why that is, I have no idea. It can be fixed by running:

icacls path\to\site-packages\pip /inheritance:e /t
icacls path\to\site-packages\pip /reset /t

The /reset may be unnecessary.

[chrullrich]

According to procmon, ensurepip first installs the bundled packages in $TEMP, then moves the resulting files to the Python installation directory. According to http://support.microsoft.com/kb/310316, a file that is moved within the same volume keeps its original ACL and does not inherit permissions from its new parent directory.

I can think of two ways to fix this:

1. Instead of moving the files, copy them (and delete the originals)
2. Reset the ACLs after the move. The icacls commands I posted earlier
   will work, but icacls may not be available with the same option set
   on all supported Windows versions.

Of the two, #1 is probably more reliable.

[loewis]

I agree with the analysis. Notice that this may sound worse than it is: even if a regular user could run pip, they still couldn't install anything. As users will have to get an elevated prompt, anyway, when running pip, they typically won't notice the problem.

In any case, I also think that the problem is within ensurepip.

[chrullrich]

Unprivileged users cannot install into the global site-packages, but they might want to use the global pip to install with --user.

Also, this issue affects not only pip, but also the other bundled packages, i.e. setuptools and pkg_resources.

[ncoghlan]

The current approach is also likely to cause problems under SELinux.

[ncoghlan]

Solution 1 will also handle the SELinux case (copy and then delete original).

[loewis]

If this needs to be done by fixing the ACLs afterwards, then I suggest to add a C custom action, based on the code in

http://stackoverflow.com/questions/17536692/resetting-file-security-to-inherit-after-a-movefile-operation

[chrullrich]

Actually, this appears to be fixed in pip 1.5.6 (and 1.5.5, commit 79408cbc6fa5d61b74b046105aee61f12311adc9, AFAICT), which is included in 3.4.1; I cannot reproduce the problem in 3.4.1. That makes this bug obsolete.

[dstufft]

I believe in pip 1.5.6 we switched from shutil.move to shutil.copytree which I believe will reset the permissions/SELinux context?

[loewis]

Christian: thanks for the update. It's actually that the bug is fixed, not obsolete :-)

[ncoghlan]

A little additional explanation of why the switch to copytree would have
fixed this, at least in the SELinux case: under SELinux, files typically
get labelled with a context based on where they're created. Copying creates
a *new* file at the destination with the correct context for that location
(based on system policy), but moving an *existing* file will retain its
*original* context - you then have to call "restorecon" to adjust the
context for the new location.

I assume Windows NTFS ACLs are similar, being set based on the parent
directory at creation and then preserved when moved.

Moral of the story? These days, if you're relocating files to a different
directory, copying and then deleting the original will be significantly
more consistent across different environments. OS level move operations are
best avoided in cross platform code, unless it's within the same directory,
or you really need the speed and are prepared to sort out the relevant
access control tweaks afterwards.