Running d rats in a venv environment and PIP - wb8tyw/D-Rats GitHub Wiki

A python venv is an isolated virtual environment.

When properly setup, it allows non-privileged users to install additional python modules from with pip from a python repository like Pypi.

Generally installing packages from Pypi has some security risks.

The packages from operating system vendors have usually been vetted for security issues, and are have signatures on them to make any tampering obvious.

Pypi packages do not have that level of protection.

Criminals are currently installing counterfeit packages with similar names to legitimate packages on Pypi, these packages have malware installed on them.

So you have to be very careful of what you install from Pypi.

My intention is to have d-rats able to run without needing any modules from Pypi for that reason.

However on some platforms, for example msys2 mingw does not provide a python-geopy or feedparser packages, so the only source is from Pypi.

When you have a venv, setup as described below, you can use pip to install additional modules.

And this is relevant for users that want to run from the copy of the source of d-rats, and install it as python application.

The old python packaging procedure used in d-rats has been deprecated and needs to be replaced.

The new python packaging procedure needs modules installed from Pypi in order to be used, and once that is implemented, those will be required for people that want to install d-rats from source, instead of just running it from a copy of the source. Which for security means using a venv.

Installing using Pip with root or sudo on a system that supplies python as a package, aside from the security risks above, can corrupt the system or python providers directories. This will be from the package manager will find different content than what should be there and that can cause problems that are complex to clean up.

Now as near as I can tell, the GTK modules that d-rats needs can not be installed into a venv. You must have them installed from vendor supplied packages.

The way to install the python venv package varies with the python installation.

  • Ubuntu: You must install the python${ver}-venv to match your python version. Use apt policy "python*-venv" to find the package you need.
  • Anti-X: You must install 'python3-venv'
  • Microsoft Windows msys2 mingw you install 'mingw-w64-x86_64-python-virtualenv'

The creation of the virtualenv varies slightly with the platform and if you are using a shared directory for multiple platforms, you need a separate virtualenv for each system.

The '--system-site-packages' makes the distribution python modules available to the venv.

Linux VENV creation: python3 -m venv $(hostname -s)_venv --system-site-packages --symlink

For msys2, I could not create the venv on a network drive so I used the home directory for my user. python -m venv ~/my_hostname_venv --system-site-packages

To activate the venv is simple: On linux: source $(hostname -s)_venv/bin/activate And on msys2, the hostname -s does not work so I use source ~/my_hostname_venv/bin/activate

At this point you can use pip to install a number of packages and run d-rats with those packages.

To exit the venv environment, you type the command deactivate not exit. The exit command will exit your shell session.

In the future, d-rats should provide one or more requirements.txt modules that used to add the missing optional python modules so that there is less risk of getting a counterfeit module.

I am still learning how to do the new method for setup and will update the README.md file in my fork once I figure it out.