Remix.run Logo
killerstorm 4 days ago

Privilege escalation (e.g. setuid), world-readable files might contain sensitive data, world-writeable files, unrestricted network access (including access to all locally running services)... If you have fully patched system without zero-days and it's configured in a perfect way, then, sure...

Container is quite like a "separate user" except you can explicitly define what it can access.

(Even if all your daemons have good auth, it's now quite common for _apps_ to open listening sockets without much auth...)

wilkystyle 4 days ago | parent | next [-]

Also, many of these sandboxing solutions provide features like network allowlists and credential masking/injection

vqtska 4 days ago | parent | prev [-]

Sure, if you assume the agent will be hostile on you. I thought it's just so the agent doesn't accidentally rm -rf / on you

killerstorm 4 days ago | parent | next [-]

The agent might install hostile software, e.g. a npm package. Unfortunately, very common problem nowadays.

Retr0id 4 days ago | parent | prev | next [-]

There are documented instances of LLMs casually using LPEs in order to achieve an objective: https://xcancel.com/sluongng/status/2060746160558543217

And that's without anything like prompt injection happening.

pigeons 4 days ago | parent | prev [-]

They do try privilege escalation unprompted.