| ▲ | LudwigNagasena 14 hours ago | |
That's a distinction without a difference, in the end you still have an arbitrary bash command that you have to validate. And it is simply easier to whitelist directories than individual commands. Unix utilities weren't created with fine-grained capabilities and permissions in mind. Wherever you add a new script or utility to a whitelist, you have to actively think whether any new combination may lead to privileges escalation or unintended effects. | ||
| ▲ | zahlman 3 hours ago | parent [-] | |
> That's a distinction without a difference, in the end you still have an arbitrary bash command that you have to validate. No, you don't. You have a command generated by auditable, conventional code (in the agent wrapper) rather than by a neural network. | ||