Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to disable `site.ENABLE_USER_SITE` for an environment?

Tags:

python

From the docs:

site.ENABLE_USER_SITE

Flag showing the status of the user site-packages directory. True means that it is enabled and was added to sys.path. False means that it was disabled by user request (with -s or PYTHONNOUSERSITE). None means it was disabled for security reasons (mismatch between user or group id and effective id) or by an administrator.

I'm particularly interested in the phrase or by an administrator. On machines on which I'm an administrator (i.e. my own), how do I disable this option globally, for a specific interpreter executable?

The reason I want to do this is that new conda environments leave this enabled: https://github.com/conda/conda/issues/448

like image 350
ontologist Avatar asked Aug 30 '14 16:08

ontologist


1 Answers

The value of that variable is determined entirely in Python code:

def check_enableusersite():
    """Check if user site directory is safe for inclusion

    The function tests for the command line flag (including environment var),
    process uid/gid equal to effective uid/gid.

    None: Disabled for security reasons
    False: Disabled by user (command line option)
    True: Safe and enabled
    """
    if sys.flags.no_user_site:
        return False

    if hasattr(os, "getuid") and hasattr(os, "geteuid"):
        # check process uid == effective uid
        if os.geteuid() != os.getuid():
            return None
    if hasattr(os, "getgid") and hasattr(os, "getegid"):
        # check process gid == effective gid
        if os.getegid() != os.getgid():
            return None

    return True

The first test is simply for the -s switch or the PYTHONNOUSERSITE environment variable having been used.

What remains is the tests that return None if the effective userid or groupid differ from the process userid or groupid.

An administrator can set the effective user id or group id bits, at which point the effective user of the executable is changed to the owner or group of the executable rather than the user executing Python, at which point the above function will return None.

Other than that, a sitecustomize.py package could set the value to None again, and explicitly remove user directories from the path again. If so, the usercustomize.py import step is skipped.

like image 113
Martijn Pieters Avatar answered Sep 20 '22 12:09

Martijn Pieters