| ▲ | __MatrixMan__ 8 hours ago |
| I don't understand why the AI world does this. We don't need new security. We have security at home. It starts with sudo -u restricteduser myagent
Your OS knows how to restrict access to things, you don't have to trust a pinkey promise from a vendor. |
|
| ▲ | Dacit 7 hours ago | parent | next [-] |
| You will want at least a separate session for the `restricteduser`: E.g. with X11, a process in the same session can do almost anything with your input/output. And most Linux distributions make it really hard to disable external device access for individual users... |
| |
| ▲ | bombcar 7 hours ago | parent | next [-] | | Qubes OS - AI Agent edition would actually be a great idea. | |
| ▲ | WhyNotHugo 6 hours ago | parent | prev [-] | | > And most Linux distributions make it really hard to disable external device access for individual users... For any distro that relies on the traditional plugdev group, just don't add those users to the plugdev group. Which would be the default when creating a user anyway. |
|
|
| ▲ | big_toast 7 hours ago | parent | prev | next [-] |
| Does this have the affordances to work well with a pretty standard agentic coding setup (e.g. claude code/codex) on macos? I don't really have a good mental model of how ports/files/etc get exposed/permissioned across users. Containers and sandboxing seem much more common than agent-user accounts. Networking seems a little more complicated in the general case. I roughly went the route of running apple's container-cli (separate vm/kernel per instance I believe) and mount the relevant home directory/projects and bind ports. Seatbelt/linux sandboxing seems simpler sometimes, but has its complications too. |
| |
| ▲ | __MatrixMan__ 7 hours ago | parent [-] | | It's limited. For instance, you're going to have to explore different kinds of sandboxing if you want to prevent network access (except for certain cases, like to allow it to talk to the AI provider). But generally, a filesystem will have metadata for files like which groups are allowed to read/write, and the operating system will enforce those rules for processes that run as that user, and for any processes which that user starts. I feel like that gets you 90% of where you're likely to want to go with it. I think it would be much better if we leaned into improving that kind of control rather than thinking about security for specifically agents. Otherwise what's to stop an agent from writing a program to do whatever it's not allowed to do, and then running that program? You want the restrictions to be enclosing around parts the process tree, not the agent itself, and OS-level restrictions have been doing that kind of things for decades. |
|
|
| ▲ | bpavuk 8 hours ago | parent | prev | next [-] |
| and Landlock! Pi even has a sandbox plugin for Landlock |
| |
|
| ▲ | gowld 6 hours ago | parent | prev | next [-] |
| Users do not want the agent to be restricted. They want the agent to read the user's mind and resolving the user's cognitive dissonance and contradictory preferences. |
| |
| ▲ | sigbottle 6 hours ago | parent [-] | | Is the implication that human thinking is inherently inferior to the perfect, all knowing AI? Again, I find this line of thinking time and time again in the modern AI booster space. There are two ways to deal with a problem. Either deal with it, or make it not a problem. Yes, if everyone was simply AI, maybe there would be no problems, because there's no "problematic thought distributions", but that's not how the world is, is it? And I suspect that even in your hypothetical, perfect rational world, agents would have "cognitive dissonance and contradictory preferences." And even in this case, even aside from the inherent complexities in a coherent account of thinking and rationality, what the fuck? Not uploading your entire user home directory is clearly within the rules of a hypothetical non-malicious, intelligent AI. Just because an account of all thought is hard, doesn't mean that some thoughts aren't cut and clear. |
|
|
| ▲ | khalic 8 hours ago | parent | prev [-] |
| Why would you give a non-deterministic text generator a user account? It’s not a person, it’s barely a tool at the software level. Restrict at the right level, in this case, a complete sandbox around it given its propensity to hallucinate and be steered by anybody. |
| |
| ▲ | anvuong 7 hours ago | parent | next [-] | | What kind of logic is this? It's standard in the Linux world to give important services a separate user domain. | | |
| ▲ | khalic 6 hours ago | parent [-] | | The standard here is not enough when the agent can escalate by finding 0 days, for example. It’s like giving a black hat a limited account. Sure it might restrict him, but not giving him an account at all is way better | | |
| ▲ | gowld 6 hours ago | parent [-] | | The black hat can find 0-day escalation in your sandbox, too. A user account is a sandbox. | | |
| ▲ | khalic 6 hours ago | parent [-] | | Not as air tight as a container Edit: it’s about the attack surface | | |
|
|
| |
| ▲ | 12345ieee 7 hours ago | parent | prev | next [-] | | Unix users are THE tool to restrict tool permissions, at any given time there's 20+ services on a Unix machine that run in their user. | | |
| ▲ | khalic 6 hours ago | parent [-] | | And how many of those services can check your box and find permission escalation strategies on its own? | | |
| ▲ | __MatrixMan__ 6 hours ago | parent [-] | | Malware has been bundling rootkits for decades, so potentially all of them. Sometimes the attacks succeed, so these are defenses that need continual hardening, but there's no sense in setting up an entirely separate line of defense just because this time the threat has AI in it. | | |
| ▲ | khalic 6 hours ago | parent [-] | | I guess time will tell, I know I'm not giving those things any direct stdin access without a hole suite of safeguards in between |
|
|
| |
| ▲ | danlitt 7 hours ago | parent | prev | next [-] | | Same reason people give postgres, php, or any other program a user account. | | |
| ▲ | dcow 7 hours ago | parent [-] | | Why should it be? We have containers and capabilities… | | |
| ▲ | thwarted 7 hours ago | parent [-] | | Containers are often used with user namespaces, which is literally another (set of) user account(s). | | |
| ▲ | khalic 6 hours ago | parent [-] | | Yes but the encompassing service has the account, not the agent. You can completely segregate it from the rest of the system, like you’d treat an intruder |
|
|
| |
| ▲ | dkuntz2 7 hours ago | parent | prev | next [-] | | i give a lot of software dedicated user accounts, it's literally one of the core security models of the operating system | | |
| ▲ | khalic 7 hours ago | parent [-] | | But none of these services have the kind of latent capabilities an agent has, you know a deterministic service’s constraint are its code+bugs. There are no such constraints in an agent… |
| |
| ▲ | Izkata 7 hours ago | parent | prev | next [-] | | ...this is a completely normal thing to do in linux, it's the most basic form of access control. There's like a dozen non-human accounts in a clean install before adding your own like this, and a lot of software adds their own. Edit: I have 54 entries on my personal laptop, just one of which is actually me. | | |
| ▲ | khalic 6 hours ago | parent | next [-] | | This model is already not perfect, and not at all built for agents. The only way to secure an agent is an air-gap with the execution layer. Treat it like text, and the problem never arises until you “interpret” the agent output in a more limited environment than the OS | |
| ▲ | dcow 7 hours ago | parent | prev | next [-] | | Even though it’s completely normal to us and in widespread use, GP is a reminder that conceptually it’s a broken model. Security should be capability-based not user-based. And to anyone who didn’t grow up on a desktop this model makes complete sense since it’s what your phone uses. | | | |
| ▲ | warshinder 7 hours ago | parent | prev [-] | | He said it’s less than a software, so saying software does this too isn’t really a strong counter argument. In case, I don’t think you are really in disagreement. Restricted accounts are necessary is your point, but I think op is saying they aren’t sufficient. | | |
| ▲ | Izkata 7 hours ago | parent [-] | | One of the default users is "nobody" which isn't associated with any software. It's definitely above that. | | |
| ▲ | warshinder 7 hours ago | parent [-] | | Is it less secure if I simply have nothing to do with language models whatsoever? I take that to be the parents point, but I know you are correct and yes, user restrictions should be a necessary part of the way people who use LLMs setup their system to use them in a safe manner. |
|
|
| |
| ▲ | cwillu 7 hours ago | parent | prev [-] | | > cat /etc/passwd|wc -l
50
| | |
| ▲ | ButlerianJihad 5 hours ago | parent | next [-] | | Congratulations! You are this thread’s winner of the UUOC award! | | |
| ▲ | cwillu 2 hours ago | parent [-] | | Alternatively, fuck off. Oh no, my shell (that fires off half a dozen processes to generate its prompt) happened to fire off an “unnecessary” cat (which makes the command line much more composable and my shell history much easier to search). |
| |
| ▲ | niko323 7 hours ago | parent | prev [-] | | /etc/shadow has the good stuff if you're OS is current. |
|
|