Is `sudo pip install` still a broken practice?

python package-management permissions pip

I'm new to Ubuntu, so please bear with me. I installed pip using this command: sudo apt-get -y install python-pip. Then I installed NLTK using the command on their website, which was: sudo pip install -U nltk. But then I stumbled on this question that says that everything I did was a "broken practice". The line that struck me the most was that using sudo pip is inherently wrong and that giving pip too much force could damage operating system files. Can anyone validate this claim?

Note - I only used sudo because when I tried the command apt-get -y install python-pip it gave me 2 errors:

E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)
E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?

Solution 1:

Both sudo pip install and its other common variant sudo -H pip install should not be encouraged because it is a security risk to use root privileges to use pip to install Python packages from PyPI (Python Package Index).

From https://stackoverflow.com/a/21056000/486919 (emphasis mine):

When you run pip with sudo, you run setup.py with sudo. In other words, you run arbitrary Python code from the Internet as root. If someone puts up a malicious project on PyPI and you install it, you give an attacker root access to your machine. Prior to some recent fixes to pip and PyPI, an attacker could also run a man in the middle attack to inject their code when you download a trustworthy project.

As mentioned at https://security.stackexchange.com/a/79327/8761, it is important to note that anyone can upload Python packages, including malicious ones, to PyPI.

In short, in accordance with the principle of least privilege, don't use sudo with pip to install Python packages from PyPI unless you absolutely need to. Instead, consider using pip install --user (note that pip install with no sudo nor additional flags/options defaults to pip install --user on Ubuntu currently) or virtual environments (such as virtualenv). If you see people recommending sudo pip or sudo -H pip, please tell them not to.

Solution 2:

You must use sudo to install pip with apt (sudo apt install python-pip), but as stated in edwinksl's answer you should not use sudo to install packages with pip, you should use pip install --user <package> to install only for your user, or use a virtualenv to even further restrict the scope of the package.

Apt installs packages from Ubuntu's repositories, whereas pip installs user-uploaded packages from PyPi which could be malicious.

Related

How can I snap a window in a corner with 18.04?
How is being able to break into any Linux machine through grub2 secure?
Environment variables when run with 'sudo'
Xubuntu Dropbox icon fail [duplicate]
Why can other users see the files in my home folder?
`apt-get update` cannot find Ubuntu servers
How do I limit internet bandwidth?
Shouldn't dconf-editor and gsettings access the same database?
How can I make fonts look like they do in Windows?
How do I resize partitions using command line without using a GUI on a server?
How to list user installed applications (not packages)?
Installation of Ubuntu 16.04 from a USB drive freezes