1

Our IT is concerned about any user installing malicious packages by accident. At the moment we have two primary virtual environments for our applications, which only privileged users can modify. But I would be concerned that users might want to set up their own virtual environment or install packages for their user in order to have more control.

How can we restrict the use of pip to members of a certain group/super users who have write access to shared virtual environments? Are there special considerations when a lot of Ubuntu depends on Python?

raphael
  • 506
  • 2
  • 5
  • 18
  • 5
    Simply do not add these users to the sudo group, nor add them to /etc/sudoers. Then they won't be able to modify the system software. Also promulgate a HR policy: "Mess with the system and you're OUT!" (rephrase for local regulations. – waltinator Jan 08 '24 at 23:56
  • 1
    "by accident" sorry?! how do you do that? – Rinzwind Jan 09 '24 at 05:31
  • 1
    I don't think this is a problem you solve with restrictions, but with change management. Institute a process for verifying what's in the venvs you're using? – vidarlo Jan 09 '24 at 06:48
  • @Rinzwind people typosquat on pypi https://discuss.python.org/t/improving-risks-and-consequences-against-typosquatting-on-pypi/5090 – raphael Jan 09 '24 at 19:59
  • 2
    @waltinator wont be enough to not permit sudo. pip can run and store python packages etc. in userspace. Which is what OP wants to avoid, the creation of venvs. – Thomas Ward Jan 13 '24 at 06:47
  • 2
    This isnt a problem you solve with restrictions of users. This is a problem you solve with change management and not giving people access to systems unless they need them. Shell access is inherently dangerous and risky - just don't give people access. – Thomas Ward Jan 13 '24 at 06:48
  • @ThomasWard I think this might be possible with JupyterHub, and then it should also prevent people by running !pip install from within a notebook by not giving them write access to the virtual environment – raphael Jan 26 '24 at 14:31
  • @raphael JupyterHub isn't Ubuntu though and is a separate disparate product. It also, in unsafe setups, effectively has 'root' privileges when it comes to Python. So if you set it up you aren't directly solving the problem unless you've shut remote access to the machine otherwise off. And note that it doesn't stop users from running pip in their user space either, because it creates virtual user space for users. Which is a must so that Notebooks can run/work. (It gives terminal access to userspace still) – Thomas Ward Jan 27 '24 at 02:06

0 Answers0