Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
valleyer 3 hours ago

> If you look at the security measures in other coding agents, they're mostly security theater. As soon as your agent can write code and run code, it's pretty much game over.

At least for Codex, the agent runs commands inside an OS-provided sandbox (Seatbelt on macOS, and other stuff on other platforms). It does not end up "making the agent mostly useless".

lvl155 25 minutes ago | parent | next [-]

You really shouldn’t be running agents outside of a container. That’s 101.

embedding-shape 12 minutes ago | parent [-]

Bit more general; don't run agents without some sort of restriction to what they can do provided by the OS in some way. Containers is one way, VMs another, most cases it's enough with just a chroot and using the unix permission system the rest of your system already uses.

beacon294 3 hours ago | parent | prev | next [-]

My codex just uses python to write files around the sandbox when I ask it to patch a sdk outside its path.

Sharlin 2 hours ago | parent | next [-]

It's definitely not a sandbox if you can just "use python to write files" outside of it o_O

chongli 39 minutes ago | parent [-]

Hence the article’s security theatre remark.

I’m not sure why everyone seems to have forgotten about Unix permissions, proper sandboxing, jails, VMs etc when building agents.

Even just running the agent as a different user with minimal permissions and jailed into its home directory would be simple and easy enough.

embedding-shape 15 minutes ago | parent [-]

I'm just guessing, but seems the people who write these agent CLIs haven't found a good heuristic for allowing/disallowing/asking the user about permissions for commands, so instead of trying to sit down and actually figure it out, someone had the bright idea to let the LLM also manage that allowing/disallowing themselves. How that ever made sense, will probably forever be lost on me.

`chroot` is literally the first thing I used when I first installed a local agent, by intuition (later moved on to a container-wrapper), and now I'm reading about people who are giving these agents direct access to reply to their emails and more.

valleyer 7 minutes ago | parent [-]

Here's OpenAI's docs page on how they sandbox Codex: https://developers.openai.com/codex/security/

Here's the macOS kernel-enforced sandbox profile that gets applied to processes spawned by the LLM: https://github.com/openai/codex/blob/main/codex-rs/core/src/...

I think skepticism is healthy here, but there's no need to just guess.

valleyer 32 minutes ago | parent | prev [-]

Is it asking you permission to run that python command? If so, then that's expected: commands that you approve get to run without the sandbox.

The point is that Codex can (by default) run commands on its own, without approval (e.g., running `make` on the project it's working on), but they're subject to the imposed OS sandbox.

This is controlled by the `--sandbox` and `--ask-for-approval` arguments to `codex`.

maleldil 3 hours ago | parent | prev [-]

Does Codex randomly decide to disable the sandbox like Claude Code does?