Fixing Your Python Version on AWS EC2 with Amazon Linux
ACM.264 When you don’t get the version of Python you think you should be getting
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: Application Security | Secure Code | AWS Security
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the last post I wrote about how to set up IAM policies for AWS CodeCommit.
Next I wanted to show you how to use those roles, but I got side tracked. In order to use git with AWS CodeCommit and AWS CLI profiles that assume roles, you’ll need to make sure you have the AWS CLI installed. You can find that here:
You also need to have specific versions or later of Python and Pip installed.
I got sidetracked from writing about how to use git with an AWS CLI profile because I realized my version of Python was lower than the version referenced by the AWS CLI and I wanted to fix that. I also know from past experience that getting Python3 working on Amazon Linux can be confusing so stopped to explain all this prior to proceeding.
It’s always a good ideal to make sure you’re running the latest version of software with all the appropriate security patches. However, sometimes the last version of software introduces security problems as well. For example, python changed the way it references files when it changed from Python2 to Python3. Something to be aware of that I wrote about here:
That may be why AWS Amazon Linux uses an older version of python still in the base OS. However, you may want to update to the a newer or the latest version. Also perhaps you want to get the newer version whenever you type python (which may not be a good idea depending on what software you are running as explained in the post above).
And sometimes when you install python on your system, you’ll have multiple conflicting versions and can’t seem to get the one you want. Why is that? This post attempts to explain all that and how to be more specific about which version of python you get when you type “python”.
When I recently check the AWS CLI version I got this:
aws --version
Notice that the version of python is Python/3.8.8.
When I typed the python version command:
python --versionI got a different version:
Here’s what happened. AWS EC2 Amazon Linux used to use Python 2 and I needed to use Python 3. Any time I typed python I wanted Python3 to be used. The OS could do whatever it needed to do but from my perspective I wanted everything to be python 3 if I typed the command “python.”
I installed python 3 specifically for my user in a different directory than the one used by the OS.
I created an alias to point to python3 instead of python2.
alias python="python3"You can can see aliases in the hidden file .bashrc:
vim ~/.bashrc
In my case I had set up this:
Type :q! to exit vim or vi.
:q! You can also see if there’s an alias and the directory of the executable that is running when you type a command with the which command.
which python
From my user perspective, when I type python it’s coming from this folder due to the specified alias. So I want to remove that alias and get the more up to date version, wherever it is coming from. I edit the bashrc file, remove the aliases, and then I have to source the file.
#edit the file in vim
vim ~/.bashrc
#delete the aliases
#type !wq to save
!wq
#type the following command to make your changes take effect
source ~/.bashrcIf I run which again then alias is gone and he folder is different.
Now type the version command again:
Now I’m back to 2.7.18. That’s not what I want. I want the latest version used by the AWS CLI. I have to figure out where python 3.8.8. is installed.
You can also use locate to get all the locations where python is installed if you have installed locate.
locate pythonYou’ll get a whole bunch of things back most likely:
To be more specific you could use:
locate python | grep python3.8
Why am I still getting the older version of python?
You can also type env or echo $PATH to see the your path. The path on your system is where your OS searches for applications associated with a command. It will start in the first folder and move down the list until it gets to the folder where it finds an application associated with the command.
As you can see the folder where python3.8 is installed shown above is not in my path. I could change my path to add that folder. Alternatively, I could just update python to a newer version and restore my alias to point to python3. And as you will see that folder above is not the folder we want to be using anyway.
Let’s see if we can simply install or update python with yum:
Wait what? That’s the version we have. The AWS CLI is getting python 3.8.8 so why isn’t this updating?
What you get when you run yum depends on what repository the OS uses and what’s in it. This particular repository doesn’t have 3.8.8.
Amazon has something called Amazon extras which has additional packages you can install.
Type the following commands to see available repos:
sudo yum repolist all
There’s a repository with python 3.8 there.
You may need to install the extras like this in order to see that:
sudo yum install -y amazon-linux-extrasYou can run the following command to see python.
amazon-linux-extras | grep python
You can install the specific package by name:
As you can see it says it’s already installed.
Let’s alias that directory and see what happens.
Type the following alias command:
alias python=”/usr/bin/python3.8"Now try the version command again:
I’m now actually getting a more up to date version than the AWS CLI is using. However, I’m not going to mess with the AWS CLI because it may require a specific version.
Creating that alias via the command line is not going to hang around if I exit. In order to make that alias stick you’ll need to add it in to the bashrc file as shown above.
#edit .bashrc
vim ~/.bashrc
#add the aliases to the bashrc file
alias python="/usr/bin/python3.8"
alias pip="/usr/bin/pip3.8"
#to exit and save your changes:
:wq!
#source the file to get the change to show up on the command line
source ~/.bashrc
#check the versions
python --version
pip --versionNow you can check the versions. I’m actually getting an older version of pip than the one I was running before these changes.
You can update pip with the following command:
curl -O https://bootstrap.pypa.io/get-pip.py
python get-pip.py --user
Now, after all that, I’m not even using the latest version of python yet. At the time of this writing, the latest version for Linux is: 3.11.4.
Why am I not getting the latest version? Once again, it is not in the AWS repository to which yum is pointing. AWS may not be including it because they have not tested it yet to make sure it doesn’t break anything for the countless AWS customers running on Amazon Linux.
However, you can upgrade your system to the latest version by downloading and install the latest version of python directly, installing it, and aliasing the related folder as we just did above.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab