| msg214527 - (view) |
Author: Christian Ullrich (chrullrich) * |
Date: 2014-03-23 00:25 |
| After installing python-3.4.0.amd64.msi on Windows 8.1 x64, the "pip" command (and the versioned ones as well) only work for administrators. Regular users get this: Traceback (most recent call last): File "C:\Program Files\Python34\lib\runpy.py", line 171, in _run_module_as_main "__main__", mod_spec) File "C:\Program Files\Python34\lib\runpy.py", line 86, in _run_code exec(code, run_globals) File "C:\Program Files\Python34\Scripts\pip.exe\__main__.py", line 5, in ImportError: cannot import name 'main' The immediate reason is that the files in the site-packages/pip directory are created with no access permissions for non-administrators: C:\Program Files\Python34\Lib\site-packages\pip>icacls __main__.py __main__.py NT-AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) abc\Admin:(F) Why that is, I have no idea. It can be fixed by running: icacls path\to\site-packages\pip /inheritance:e /t icacls path\to\site-packages\pip /reset /t The /reset may be unnecessary. |
|
|
| msg214548 - (view) |
Author: Christian Ullrich (chrullrich) * |
Date: 2014-03-23 06:34 |
| According to procmon, ensurepip first installs the bundled packages in $TEMP, then moves the resulting files to the Python installation directory. According to http://support.microsoft.com/kb/310316, a file that is moved within the same volume keeps its original ACL and does not inherit permissions from its new parent directory. I can think of two ways to fix this: 1. Instead of moving the files, copy them (and delete the originals) 2. Reset the ACLs after the move. The icacls commands I posted earlier will work, but icacls may not be available with the same option set on all supported Windows versions. Of the two, #1 is probably more reliable. |
|
|
| msg214551 - (view) |
Author: Martin v. Löwis (loewis) *  |
Date: 2014-03-23 08:09 |
| I agree with the analysis. Notice that this may sound worse than it is: even if a regular user could run pip, they still couldn't install anything. As users will have to get an elevated prompt, anyway, when running pip, they typically won't notice the problem. In any case, I also think that the problem is within ensurepip. |
|
|
| msg214552 - (view) |
Author: Christian Ullrich (chrullrich) * |
Date: 2014-03-23 08:23 |
| Unprivileged users cannot install into the global site-packages, but they might want to use the global pip to install with --user. Also, this issue affects not only pip, but also the other bundled packages, i.e. setuptools and pkg_resources. |
|
|
| msg214567 - (view) |
Author: Alyssa Coghlan (ncoghlan) * |
Date: 2014-03-23 12:23 |
| The current approach is also likely to cause problems under SELinux. |
|
|
| msg214568 - (view) |
Author: Alyssa Coghlan (ncoghlan) * |
Date: 2014-03-23 12:25 |
| Solution 1 will also handle the SELinux case (copy and then delete original). |
|
|
| msg221312 - (view) |
Author: Martin v. Löwis (loewis) * |
Date: 2014-06-22 21:03 |
| If this needs to be done by fixing the ACLs afterwards, then I suggest to add a C custom action, based on the code in http://stackoverflow.com/questions/17536692/resetting-file-security-to-inherit-after-a-movefile-operation |
|
|
| msg221354 - (view) |
Author: Christian Ullrich (chrullrich) * |
Date: 2014-06-23 13:27 |
| Actually, this appears to be fixed in pip 1.5.6 (and 1.5.5, commit 79408cbc6fa5d61b74b046105aee61f12311adc9, AFAICT), which is included in 3.4.1; I cannot reproduce the problem in 3.4.1. That makes this bug obsolete. |
|
|
| msg221365 - (view) |
Author: Donald Stufft (dstufft) * |
Date: 2014-06-23 15:35 |
| I believe in pip 1.5.6 we switched from shutil.move to shutil.copytree which I believe will reset the permissions/SELinux context? |
|
|
| msg221370 - (view) |
Author: Martin v. Löwis (loewis) * |
Date: 2014-06-23 17:43 |
| Christian: thanks for the update. It's actually that the bug is fixed, not obsolete :-) |
|
|
| msg221384 - (view) |
Author: Alyssa Coghlan (ncoghlan) * |
Date: 2014-06-23 23:30 |
| A little additional explanation of why the switch to copytree would have fixed this, at least in the SELinux case: under SELinux, files typically get labelled with a context based on where they're created. Copying creates a *new* file at the destination with the correct context for that location (based on system policy), but moving an *existing* file will retain its *original* context - you then have to call "restorecon" to adjust the context for the new location. I assume Windows NTFS ACLs are similar, being set based on the parent directory at creation and then preserved when moved. Moral of the story? These days, if you're relocating files to a different directory, copying and then deleting the original will be significantly more consistent across different environments. OS level move operations are best avoided in cross platform code, unless it's within the same directory, or you really need the speed and are prepared to sort out the relevant access control tweaks afterwards. |
|
|