Remix.run Logo
khalic 8 hours ago

Why would you give a non-deterministic text generator a user account? It’s not a person, it’s barely a tool at the software level. Restrict at the right level, in this case, a complete sandbox around it given its propensity to hallucinate and be steered by anybody.

anvuong 7 hours ago | parent | next [-]

What kind of logic is this? It's standard in the Linux world to give important services a separate user domain.

khalic 6 hours ago | parent [-]

The standard here is not enough when the agent can escalate by finding 0 days, for example. It’s like giving a black hat a limited account. Sure it might restrict him, but not giving him an account at all is way better

gowld 6 hours ago | parent [-]

The black hat can find 0-day escalation in your sandbox, too.

A user account is a sandbox.

khalic 6 hours ago | parent [-]

Not as air tight as a container

Edit: it’s about the attack surface

chrisweekly 6 hours ago | parent [-]

microvms are better than containers running on your host. see eg the "smolvm" microvms from https://smolmachines.com

khalic 6 hours ago | parent [-]

thanks, will take a closer look

12345ieee 7 hours ago | parent | prev | next [-]

Unix users are THE tool to restrict tool permissions, at any given time there's 20+ services on a Unix machine that run in their user.

khalic 6 hours ago | parent [-]

And how many of those services can check your box and find permission escalation strategies on its own?

__MatrixMan__ 6 hours ago | parent [-]

Malware has been bundling rootkits for decades, so potentially all of them. Sometimes the attacks succeed, so these are defenses that need continual hardening, but there's no sense in setting up an entirely separate line of defense just because this time the threat has AI in it.

khalic 6 hours ago | parent [-]

I guess time will tell, I know I'm not giving those things any direct stdin access without a hole suite of safeguards in between

danlitt 7 hours ago | parent | prev | next [-]

Same reason people give postgres, php, or any other program a user account.

dcow 7 hours ago | parent [-]

Why should it be? We have containers and capabilities…

thwarted 7 hours ago | parent [-]

Containers are often used with user namespaces, which is literally another (set of) user account(s).

khalic 6 hours ago | parent [-]

Yes but the encompassing service has the account, not the agent. You can completely segregate it from the rest of the system, like you’d treat an intruder

dkuntz2 7 hours ago | parent | prev | next [-]

i give a lot of software dedicated user accounts, it's literally one of the core security models of the operating system

khalic 7 hours ago | parent [-]

But none of these services have the kind of latent capabilities an agent has, you know a deterministic service’s constraint are its code+bugs. There are no such constraints in an agent…

Izkata 7 hours ago | parent | prev | next [-]

...this is a completely normal thing to do in linux, it's the most basic form of access control. There's like a dozen non-human accounts in a clean install before adding your own like this, and a lot of software adds their own. Edit: I have 54 entries on my personal laptop, just one of which is actually me.

khalic 6 hours ago | parent | next [-]

This model is already not perfect, and not at all built for agents. The only way to secure an agent is an air-gap with the execution layer. Treat it like text, and the problem never arises until you “interpret” the agent output in a more limited environment than the OS

dcow 7 hours ago | parent | prev | next [-]

Even though it’s completely normal to us and in widespread use, GP is a reminder that conceptually it’s a broken model. Security should be capability-based not user-based. And to anyone who didn’t grow up on a desktop this model makes complete sense since it’s what your phone uses.

Sesse__ 7 hours ago | parent [-]

Android uses one uid per app.

warshinder 7 hours ago | parent | prev [-]

He said it’s less than a software, so saying software does this too isn’t really a strong counter argument. In case, I don’t think you are really in disagreement. Restricted accounts are necessary is your point, but I think op is saying they aren’t sufficient.

Izkata 7 hours ago | parent [-]

One of the default users is "nobody" which isn't associated with any software. It's definitely above that.

warshinder 7 hours ago | parent [-]

Is it less secure if I simply have nothing to do with language models whatsoever? I take that to be the parents point, but I know you are correct and yes, user restrictions should be a necessary part of the way people who use LLMs setup their system to use them in a safe manner.

cwillu 7 hours ago | parent | prev [-]

   > cat /etc/passwd|wc -l
   50
ButlerianJihad 5 hours ago | parent | next [-]

Congratulations! You are this thread’s winner of the UUOC award!

cwillu 2 hours ago | parent [-]

Alternatively, fuck off.

Oh no, my shell (that fires off half a dozen processes to generate its prompt) happened to fire off an “unnecessary” cat (which makes the command line much more composable and my shell history much easier to search).

niko323 7 hours ago | parent | prev [-]

/etc/shadow has the good stuff if you're OS is current.