[Numpy-discussion] Round 2 with Leopard+Python

David Cournapeau david@ar.media.kyoto-u.ac...
Sun Nov 4 20:58:41 CST 2007 

Brian Granger wrote:
> Hi,
>
> In the process of working through the issues with sys.path on Leopard,
> I have found another potential Leopard bug that is particularly nasty.
>
> In Tiger, sudo preserves environment variables:
>
> $ export FOO=/tmp
> $ python -c "import os; print os.environ['FOO']"
> /tmp
> $ sudo python -c "import os; print os.environ['FOO']"
> /tmp
>
> But, in Leopard, sudo does not perserve environment variables:
>
> $ export FOO=/tmp
> $ python -c "import os; print os.environ['FOO']"
> /tmp
> $ sudo python -c "import os; print os.environ['FOO']"
> Password:
> Traceback (most recent call last):
>   File "<string>", line 1, in <module>
>   File "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/UserDict.py",
> line 22, in __getitem__
>     raise KeyError(key)
> KeyError: 'FOO'
>
> This is a big problem.  First, if you have set PYTHONPATH to point
> sys.path at the site-packages in /Library, this setting will be lost
> when you do:
>
> sudo python setup.py install
>
> On another package.  I encountered this in building pytables, which
> requires numpy >= 1.0.3.  I had installed numpy 1.0.4, and set my
> PYTHONPATH to point to it.  But, the pytables setup.py script failts
> because PYTHONPATH is lost and it only sees the older (1.0.1) builtin
> numpy.
>
> Second, some setup.py scripts use environment variables to determine
> how things are built, find other dependencies, etc.  Currently, this
> will fail on Leopard if such packages are installed into locations
> that require sudo.  I haven't tried it yet, but I expect that this
> will also hold true for other python installations.  The behavior also
> shows up with ruby on Leopard.
>
> The solution currently is to install all packages to locations that
> don't require sudo to write to.  I will file a bug report, but until
> the bug is fixed, we should explore putting a note on the numpy/scipy
> site - and even possibly on the python.org site to describe the
> problem and its workaround.
>   
Have you tried the env_reset option (man sudoers) ? IMHO, the Leopard 
behaviour looks saner than Tiger, from what you are saying. Having 
PYTHONPATH overridable by the user looks like a good tool for unwanted 
privileges escalation... Actually, looking a bit at sudo NEWS file, you 
can see that PYTHONPATH was added as an env variable to disable 
something like 2 years ago, which explains the behaviour (sudo has been 
updated, I suppose, and Tiger is a bit more than 2 years old if I 
remember correctly).

Do you *really* need to install numpy in a location only writable 
through sudo ?

cheers,

David

More information about the Numpy-discussion mailing list