Run pip as non-root user

[oxr463]

default: WARNING: Running pip as root will break packages and permissions. You should install packages reliably by using venv: https://pip.pypa.io/warnings/venv

[outzhu]

In order to run Docker/Vagrant we need root permissions. I don't think we can run as root for the beginning provisioning then change to non-root for pip then change it to root again. The warning can't be fixed.

[oxr463]

There is no way to silence the warning? Something like this https://github.com/pypa/pip/issues/10556

[outzhu]

I can't find a command to quiet the warning. Their solution was to add it in the script.

[oxr463]

I can't find a command to quiet the warning. Their solution was to add it in the script.

Looks like that got merged into pip v22.1 (See: https://github.com/pypa/pip/pull/10990). We need to make sure we're on that version of pip, and then set this environment variable for our command: https://github.com/pypa/pip/pull/10990#issuecomment-1091476480

[outzhu]

I did this for the environment variable and it didn't work, how should I set the env to quiet pip's warning?

build {
  name        = "pentesting-vagrant"
  description = "Penetration Testing Virtual Machine"

  sources = [
    "source.vagrant.alpine"
  ]

  provisioner "shell" {
    scripts = [
      "scripts/dependencies.sh",
      "scripts/apktool.sh",
      "scripts/dex2jar.sh",
      "scripts/jd_cmd.sh",
      "scripts/theharvester.sh",
      "scripts/zaproxy.sh"
    ]
    execute_command = "echo 'vagrant' | sudo -S -E sh -c '{{ .Vars }} {{ .Path }}'"
    environment_vars = ["PIP_NO_WARN_ABOUT_ROOT_USER=0"]
  }
}

[oxr463]

First, make sure you're on pip v22.1 or newer. Second, assuming environment_vars has the right syntax for Packer and it still doesn't work, I would maybe try adding it inline in the shell script, https://github.com/infinite-omicron/pentesting-vm/blob/master/packer/scripts/dependencies.sh#L28

[outzhu]

Been trying to test version 22.1.2 pip's no warning option, tried env PIP_NO_WARN_ABOUT_ROOT_USER=0 pip install <> didn't work so I took a look at the merged PR commits that has the opt-out change but I can't find that change in pip itself Do you know where the likely place that option would be, since it's not in it's PR place?

Also do you know how to get that menu from the screenshot?

[oxr463]

Here is what I tried:

# spin up a container
docker run -it alpine:latest /bin/sh

# check user
whoami
root

# install pip
apk update
apk add py3-pip

# check version
pip -V
pip 22.1.1 from /usr/lib/python3.10/site-packages/pip (python 3.10)

# install packages
PIP_NO_WARN_ABOUT_ROOT_USER=0 pip install mitmproxy

I didn't see any warnings. Maybe you could just put this directly in the dependencies.sh script:

export PIP_NO_WARN_ABOUT_ROOT_USER=0

[outzhu]

What I got from running a Docker container as root user.

/ # pip -V
pip 22.1.1 from /usr/lib/python3.10/site-packages/pip (python 3.10)

/ # PIP_NO_WARN_ABOUT_ROOT_USER=0 pip install sqlmap
Requirement already satisfied: sqlmap in /usr/lib/python3.10/site-packages (1.6.6)
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

PIP_NO_WARN_ABOUT_ROOT_USER=0 does not work for either Vagrant or Docker.

[outzhu]

Thanks to https://github.com/pypa/pip/issues/11179 we can use PIP_ROOT_USER_ACTION=ignore or --root-user-action ignore. I have made the PR https://github.com/infinite-omicron/pentesting-vm/pull/23

[oxr463]

==> pentesting-docker.docker.alpine: WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

[outzhu]

not getting that warning. Do you have environment_vars = ["PIP_ROOT_USER_ACTION=ignore"]?

[oxr463]

What else needs to be done for this issue?

[outzhu]

When this is https://github.com/infinite-omicron/pentesting-vm/pull/27 merged we can close.