33

Can't remember where I read this, but either somewhere on here or in the comments of a tutorial I was following, a person said:

Never ever use sudo pip install; you could overwrite important stuff without knowing it. Use pip install --user instead!

I see lots of references to sudo pip install everywhere though, so did this person know what they were talking about and I should avoid it, or... ?

wjandrea
  • 28,235
  • 9
  • 60
  • 81
Chockomonkey
  • 3,895
  • 7
  • 38
  • 55
  • 4
    In theory, a malicious package can install/read/modify/delete any file it has access to through various directives specified in its setup.py file. Installing with sudo widens the number of files / locations that can be modified. You're basically allowing unvetted code root access to your system. In practice, when installing packages from trusted authors, you're unlikely to get burnt -- at least not significantly more vulnerable than installing a package from your distro's package manager. That being said, the `--user` switch is available and should be seriously considered. – jedwards Mar 27 '15 at 22:14
  • 1
    I have used sudo pip countless times without ever encountering an issue, once you trust the source I would not worry about it. – Padraic Cunningham Mar 27 '15 at 22:14
  • 1
    Related: [Is it acceptable & safe to run pip install under sudo?](http://stackoverflow.com/q/15028648/95735) – Piotr Dobrogost Apr 08 '17 at 20:35
  • 1
    To anyone interested, there's a pretty good answer to a similar question [here](https://stackoverflow.com/a/61452956/41316) – bruno desthuilliers Apr 27 '20 at 07:33
  • Does this answer your question? [What are the risks of running 'sudo pip'?](https://stackoverflow.com/questions/21055859/what-are-the-risks-of-running-sudo-pip) – Josh Correia Feb 25 '22 at 02:04

2 Answers2

27
$ sudo pip install

Installs the package globally in your python installation, i.e. for all users.

$ pip install --user

Installs to the local user directory, i.e. ~/.local/lib/python -- just you.

Example:

$ sudo pip install jupyter
$ jupyter notebook

Will run jupyter, open a web browser, allow you to work with notebooks.

$ pip install --user jupyter
$ jupyter notebook

Will do nothing until your local directory has been added to your PATH.

There was recently malicious code included in pypi. Never use sudo to install with pip. This is the same as running a virus as root. Either add your local folder to your PATH or use a virtualenv.

John Doe
  • 286
  • 3
  • 3
8

sudo pip install probably means that you want to install a package system-wide. For some packages, such as virtualenvwrapper, that might be useful, but besides that I'd avoid installing system-wide packages and create a virtualenv for each application and pip install to that virtualenv (which can be done without sudo).

Peter
  • 1,658
  • 17
  • 23
  • @jedwards I believe jedwards has the right idea as to why people recommend not doing it. I'm working in a single minded server, so system-wide shouldn't be a problem. That being said, I've still been using --user and wish there was a more solid answer. – Chockomonkey Mar 30 '15 at 17:10