/tmp/pip-build can't be shared by several linux users

[guettli]

A second bug related to the fixed temporary directory /tmp/pip-build.

This does not work if several linux-users use pip.

First user was modwork_egs_d and now the second user modwork_vums_dt tries to use pip:

modwork_vums_dt@workepdevel113:~$ pip install --user pep8
Downloading/unpacking pep8
  Downloading pep8-1.3.3.tar.gz
Exception:
Traceback (most recent call last):
  File "/usr/local/lib/python2.6/site-packages/pip-1.2.1.post1-py2.6.egg/pip/basecommand.py", line 107, in main
    status = self.run(options, args)
  File "/usr/local/lib/python2.6/site-packages/pip-1.2.1.post1-py2.6.egg/pip/commands/install.py", line 263, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/usr/local/lib/python2.6/site-packages/pip-1.2.1.post1-py2.6.egg/pip/req.py", line 1032, in prepare_files
    self.unpack_url(url, location, self.is_download)
  File "/usr/local/lib/python2.6/site-packages/pip-1.2.1.post1-py2.6.egg/pip/req.py", line 1159, in unpack_url
    retval = unpack_http_url(link, location, self.download_cache, self.download_dir)
  File "/usr/local/lib/python2.6/site-packages/pip-1.2.1.post1-py2.6.egg/pip/download.py", line 481, in unpack_http_url
    unpack_file(temp_location, location, content_type, link)
  File "/usr/local/lib/python2.6/site-packages/pip-1.2.1.post1-py2.6.egg/pip/util.py", line 558, in unpack_file
    untar_file(filename, location)
  File "/usr/local/lib/python2.6/site-packages/pip-1.2.1.post1-py2.6.egg/pip/util.py", line 472, in untar_file
    os.makedirs(location)
  File "/usr/lib64/python2.6/os.py", line 157, in makedirs
    mkdir(name, mode)
OSError: [Errno 13] Permission denied: '/tmp/pip-build/pep8'

Storing complete log in /home/modwork_vums_dt/.config/pip/pip.log

modwork_vums_dt@workepdevel113:~$ ls -l /tmp/pip-build/
-rw-r--r-- 1 modwork_egs_d modwork_egs_d 185 20. Nov 12:27 pip-delete-this-directory.txt

modwork_vums_dt@workepdevel113:~$ pip --version
pip 1.2.1.post1 from /usr/local/lib/python2.6/site-packages/pip-1.2.1.post1-py2.6.egg (python 2.6)

Related: #725

[guettli]

I found a workaround:

export TMPDIR=$HOME/tmp
mkdir -p $TMPDIR
pip install --user ...

[chrismatta]

Just got bit by this as well. The workaround is fine, but the mode for /tmp/pip-build really should inherit /tmp's permissions.

[guettli]

I use "export TMPDIR=$HOME/tmp" in my environment now. But fixing this would be nice.

[guettli]

@chrismatta please explain which permissions from /tmp should be inherited. I don't think the sticky bit from /tmp should be used for the pip-build.

[chrismatta]

@guiettli I guess it has to do with one's philosophy of what /tmp is for. Traditionally on linux /tmp has been scratch space where anyone can read and write to, so I don't see why making pip-build 0777 would be an issue.

We ran into this recently after multiple users were tyring to install modules into thier pythonbrew environmetns, which doesn't seem to set $TMPDIR, so pip uses the /tmp dir.

[guettli]

If you can inject code from one user to the next it is a big security problem. But somehow nobody seems to care.

[d1b]

@chrismatta as @guettli has mentioned out this would introduce a security flaw. What functionality would be provided by letting other users read and write to a given user's temporary pip-build directory (other than introducing a security flaw) ?

[chrismatta]

So why use /tmp at all? Or maybe pip should use /tmp/pip-build-uid for each user. This is probably more a pythonbrew issue than a pip issue in reality.

[guettli]

@chrismatta that is what this pull request does: os.path.join(tempfile.gettempdir(), 'pip-build-%s' % getpass.getuser())

https://github.com/pypa/pip/pull/734/files

[qwcode]

addressed in pull #780