DEV Community


Posted on • Updated on

Stop using sudo pip install

We've all done it:

pip install numpy
# run into permissions issues
sudo pip install numpy # or "sudo !!" for the power users ;)

End of story, it works, it's what is written in the README so what's wrong with it?

You see, when you install a library through pip, you are executing with root permissions. This file could harbor malicious code. You are also messing with the system libraries and that invariably leads to issues down the line.

Relevant XKCD (thx u/truh):


A much better and secure way would be:

pip install --user numpy # libs will be installed in ~/.local/lib

This is better, and can be used for installing applications, but it doesn't solve the problem of having different versions needs for different python projects. Enter pipenv. pipenv is to python what composer is to PHP. It lets you easily install and use libraries per project. It's not the only tool allowing you to do that, but it's the one I use so it's the one I'm gonna present you. Example:

pipenv install numpy matplotlib pandas
# to start your program
pipenv run ./
# to install libs from another machine, after a git pull:
pipenv sync
# to get a shell in the env (like `source myenv/bin/activate` for venv)
pipenv shell

This allows a very reproducible environment for your program, without resorting to Docker and without messing up user or system libraries. Save yourself from future bugs and start using pipenv, venv, conda or virtualenv right away! It's much better than requirements.txt + pip. :)


Top comments (22)

codesandbox profile image

sudo pip is for global packages, virtualenv for literally everything else. Neither venv or pipenv will prevent you getting pwnd if you're careless enough to install a malicious package. They are not effective security measures.

blubberdiblub profile image
Niels Böhm • Edited

Using sudo pip on distros that provide native Python packages (apt-get install python-numpy, etc.) is calling for trouble.

codesandbox profile image

Fair enough. I do prefer the native package manager route when it's an option, but in those cases it's generally handled automatically as a dependency anyways. Really, 99.99% of all manual pip interactions should be happening in some sandbox env anyways. Regardless it's better practice to understand and respect root ops rather than fear them, because sometimes they are necessary.

tmr232 profile image
Tamir Bahar

When would a pip install --user not suffice instead of a global install?

matthutchison profile image
Matt Hutchison

We see it when we're installing an application that will be used by another user account, since ~/.local/lib (or the equivalent) isn't shared. This is pretty rare in a development environment, but it comes up frequently in an administered multi-user setup (say a shared workstation or batch cluster). Sometimes service accounts as well depending on what they're doing.

rupankarghosh profile image

After running pip with sudo in my arch Linux I messed-up some of my system files. And now the whole system is broken.

ijstokes profile image
Ian Stokes-Rees

Or use conda which solves this problem for Python plus many other languages and arbitrary binaries.

elabftw profile image

but conda is not per project, is it?

rodolfoferro profile image
Rodolfo Ferro

You can create a specific conda environment for each proyect, and even specify the conda channel from which it is installed.

I usually create an environment.yml file for this, so I only run

$ conda env create -f environment.yml

to create the conda env.

After this I only do:

# Activate conda env:
$ conda activate (env-name)

# Deactivate conda env:
$ conda deactivate

(Depending on your Anaconda version, to activate/deactivate the env, you can use source instead of conda.)

Thread Thread
elabftw profile image

Good to know thx.

phydroxide profile image

What about for pip install --upgrade pip

"ERROR: Could not install packages due to an EnvironmentError: [Errno 13] Permission denied: '/usr/bin/pip3'

How do you get pip into /usr/bin without running it privileged?

elabftw profile image

You don't, that's the whole point. Unless you give your user permissions to write in /usr/bin, which is not a good idea.

vikrantsingh47 profile image
vikrant singh

should we install pip itself with sudo?
eg: sudo apt install python3-pip
and then ,
pip install --upgrade pip

is that corrent process?

dvershinin profile image
Danila Vershinin

Here's a simple virtualenv manager that you can use to install Python apps in a safe way: You can then just type pip-safe install <pypy-name> and it will take care of installing stuff and making it available on PATH. (you can use it instead of typing "pip install" and breaking things :)

mandarvaze profile image
Mandar Vaze

I also prefer pipenv where I can.
But it hasn't worked 100% of the times :(
So had to "fall back to" manually creating virtualenv followed by pip install

errietta profile image
Erry Kostala

I use pipenv, works great!

architekco profile image

Yes yes but how to reset the nightmare that is my current python environment(s)? Honestly I'd be happy resetting my entire Dev ecosystem (but would like to avoid reformatting). MacOS of course.

elabftw profile image

Simple: install a real OS like GNU/Linux or Free/OpenBSD on your mac and you're good to go :p

No seriously macos is fucked up in various ways… But if you use pipenv or similar, you don't really have to worry about what is installed on the rest of the computer.

architekco profile image

Right, I do use virtual environments these days, kinda... but ... my mac is a barren wasteland of python installs and duplicate packages and all sorts of other mind-boggling environment fuckery that I have been putting off dealing with! Ill get to it one of these days, I guess.

bradleygrant profile image
Bradley Grant

But venv.

xiaodaigh profile image

how do yu specify which environment to use?