[issue21030] pip usable only by administrators on Windows and SELinux
Christian Ullrich added the comment: Actually, this appears to be fixed in pip 1.5.6 (and 1.5.5, commit 79408cbc6fa5d61b74b046105aee61f12311adc9, AFAICT), which is included in 3.4.1; I cannot reproduce the problem in 3.4.1. That makes this bug obsolete. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21030 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21030] pip usable only by administrators on Windows and SELinux
Donald Stufft added the comment: I believe in pip 1.5.6 we switched from shutil.move to shutil.copytree which I believe will reset the permissions/SELinux context? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21030 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21030] pip usable only by administrators on Windows and SELinux
Martin v. Löwis added the comment: Christian: thanks for the update. It's actually that the bug is fixed, not obsolete :-) -- resolution: - fixed status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21030 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21030] pip usable only by administrators on Windows and SELinux
Nick Coghlan added the comment: A little additional explanation of why the switch to copytree would have fixed this, at least in the SELinux case: under SELinux, files typically get labelled with a context based on where they're created. Copying creates a *new* file at the destination with the correct context for that location (based on system policy), but moving an *existing* file will retain its *original* context - you then have to call restorecon to adjust the context for the new location. I assume Windows NTFS ACLs are similar, being set based on the parent directory at creation and then preserved when moved. Moral of the story? These days, if you're relocating files to a different directory, copying and then deleting the original will be significantly more consistent across different environments. OS level move operations are best avoided in cross platform code, unless it's within the same directory, or you really need the speed and are prepared to sort out the relevant access control tweaks afterwards. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21030 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21030] pip usable only by administrators on Windows and SELinux
Martin v. Löwis added the comment: If this needs to be done by fixing the ACLs afterwards, then I suggest to add a C custom action, based on the code in http://stackoverflow.com/questions/17536692/resetting-file-security-to-inherit-after-a-movefile-operation -- title: pip usable only by administrators on Windows - pip usable only by administrators on Windows and SELinux ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21030 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21030] pip usable only by administrators on Windows
Christian Ullrich added the comment: According to procmon, ensurepip first installs the bundled packages in $TEMP, then moves the resulting files to the Python installation directory. According to http://support.microsoft.com/kb/310316, a file that is moved within the same volume keeps its original ACL and does not inherit permissions from its new parent directory. I can think of two ways to fix this: 1. Instead of moving the files, copy them (and delete the originals) 2. Reset the ACLs after the move. The icacls commands I posted earlier will work, but icacls may not be available with the same option set on all supported Windows versions. Of the two, #1 is probably more reliable. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21030 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21030] pip usable only by administrators on Windows
Martin v. Löwis added the comment: I agree with the analysis. Notice that this may sound worse than it is: even if a regular user could run pip, they still couldn't install anything. As users will have to get an elevated prompt, anyway, when running pip, they typically won't notice the problem. In any case, I also think that the problem is within ensurepip. -- nosy: +dstufft, ncoghlan ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21030 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21030] pip usable only by administrators on Windows
Christian Ullrich added the comment: Unprivileged users cannot install into the global site-packages, but they might want to use the global pip to install with --user. Also, this issue affects not only pip, but also the other bundled packages, i.e. setuptools and pkg_resources. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21030 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21030] pip usable only by administrators on Windows
Nick Coghlan added the comment: The current approach is also likely to cause problems under SELinux. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21030 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21030] pip usable only by administrators on Windows
Nick Coghlan added the comment: Solution 1 will also handle the SELinux case (copy and then delete original). -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21030 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21030] pip usable only by administrators on Windows
New submission from Christian Ullrich: After installing python-3.4.0.amd64.msi on Windows 8.1 x64, the pip command (and the versioned ones as well) only work for administrators. Regular users get this: Traceback (most recent call last): File C:\Program Files\Python34\lib\runpy.py, line 171, in _run_module_as_main __main__, mod_spec) File C:\Program Files\Python34\lib\runpy.py, line 86, in _run_code exec(code, run_globals) File C:\Program Files\Python34\Scripts\pip.exe\__main__.py, line 5, in module ImportError: cannot import name 'main' The immediate reason is that the files in the site-packages/pip directory are created with no access permissions for non-administrators: C:\Program Files\Python34\Lib\site-packages\pipicacls __main__.py __main__.py NT-AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) abc\Admin:(F) Why that is, I have no idea. It can be fixed by running: icacls path\to\site-packages\pip /inheritance:e /t icacls path\to\site-packages\pip /reset /t The /reset may be unnecessary. -- components: Installation, Windows messages: 214527 nosy: Christian.Ullrich priority: normal severity: normal status: open title: pip usable only by administrators on Windows type: behavior versions: Python 3.4 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21030 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21030] pip usable only by administrators on Windows
Changes by Ned Deily n...@acm.org: -- nosy: +loewis, zach.ware ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21030 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
