Package: python-pip Version: 1.4.1-2 Severity: normal Tags: security Usertags: tmp
pip uses a non-random per-user build directory that is in /tmp. This means that any user can prevent any other user from installing packages. There is the --build-directory option to override this but it isn't documented in the manual page, only the --help output. It would be much better to use the tempfile.mkdtemp() to create the build directory. $ pip install foo The temporary folder for building (/tmp/pip_build_pabs) is not owned by your user! pip will not work until the temporary folder is either deleted or owned by your user account. Traceback (most recent call last): File "/usr/bin/pip", line 9, in <module> load_entry_point('pip==1.4.1', 'console_scripts', 'pip')() File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 345, in load_entry_point return get_distribution(dist).load_entry_point(group, name) File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2381, in load_entry_point return ep.load() File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2087, in load entry = __import__(self.module_name, globals(),globals(), ['__name__']) File "/usr/lib/python2.7/dist-packages/pip/__init__.py", line 10, in <module> from pip.util import get_installed_distributions, get_prog File "/usr/lib/python2.7/dist-packages/pip/util.py", line 15, in <module> from pip.locations import site_packages, running_under_virtualenv, virtualenv_no_global File "/usr/lib/python2.7/dist-packages/pip/locations.py", line 92, in <module> build_prefix = _get_build_prefix() File "/usr/lib/python2.7/dist-packages/pip/locations.py", line 82, in _get_build_prefix raise pip.exceptions.InstallationError(msg) pip.exceptions.InstallationError: The temporary folder for building (/tmp/pip_build_pabs) is not owned by your user! -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (700, 'testing'), (600, 'unstable'), (550, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.11-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages python-pip depends on: ii ca-certificates 20130906 ii python 2.7.5-5 ii python-pkg-resources 0.6.49-2 ii python-setuptools 0.6.49-2 Versions of packages python-pip recommends: ii build-essential 11.6 pn python-dev-all <none> -- bye, pabs http://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part