Remix.run Logo
artisinal 5 hours ago

Doesn’t surprise me.

Yesterday I learned that people run AI agents on their system with full admin rights. No containerisation or anything. Wild. Like we forgot 50 years of computer security overnight.

progval 5 hours ago | parent | next [-]

Most programmers and power users install large dependency trees with npm/pip/bundler/... on the same user account as their main browser on a regular basis. Even on Linux where it's easy to create new user accounts. This isn't much different.

chrisandchris 2 hours ago | parent | next [-]

Two bads doesn't give you one good.

brookst 13 minutes ago | parent | next [-]

No, but when you’re arguing that common practices followed by pretty much everyone is “bad”, it’s hard to muster much urgency.

Yeah, we should do this differently. We should probably also eat healthier and get to the gym more.

reactordev an hour ago | parent | prev [-]

no, but it does give one multiple vectors for exfiltration of your data which is a good thing for the scammers of the internet. A bad thing if you naively designed your package management system. Sadly, it's only going to get worse.

XorNot 4 hours ago | parent | prev | next [-]

It has never been easy to create separate users on Linux, certainly not for tasks where you need to switch between contexts.

Docker was amongst the biggest steps forward on this in a long time.

progval 4 hours ago | parent | next [-]

I meant for CLI tasks. Just "adduser" and "sudo -u <user> bash".

brookst 10 minutes ago | parent [-]

And when you want to share some but not all files with that one user but not other users you created for similar purposes?

And when you want the outputs of that user back to your main user?

And when you want that user to access some shared credentials for external services, but not all?

It’s not the account setup that’s hard, it’s the workflow of spreading a single real-world across multiple accounts.

vladms 3 hours ago | parent | prev | next [-]

I do not know since when (I am using it for couple of years), but in Arch, it is very simple to have two X sessions (by using "log out" > "switch user") for two different accounts, so switching it's just a Control-Alt-F7 away.

Additionally, one can make the main user part of the group of the development user, so that you can read/write easy in the development user account and it is even easier to share stuff.

eru 3 hours ago | parent | next [-]

It doesn't really matter which distribution you use, you can use approximately all the software with any distribution.

They mostly differ a bit in how they are configured and what package manager they use and how they roll out updates. (And in what's installed by default.)

graemep 2 hours ago | parent | prev [-]

Multiple X sessions has been possible for decades. I think its possible with Wayland too.

You can also start applications as another user so you do not even need multiple sessions.

There are quite a lot of privilege escalation attacks so I am not sure this is sufficiently solid.

wafflemaker 21 minutes ago | parent | next [-]

It's off topic, and it was also possible for decades, but:

you can connect two sets of mouse, keyboard and monitor to one PC and have two people using it, each running their own X session. The true multi boxing!

vladms 2 hours ago | parent | prev [-]

Possible and available without any specific configuration on my side (except creating the user) are different things. I know I managed it many years ago with some effort, but nowadays it was just available.

You are correct that it should not be seen as a perfect protection, but considering the effort to set it up I see it as worth it. By seeing in this thread how many people do not use anything similar (ex: containers, separate users, etc), I hope attackers will just be lazy and target those people first, why bother with a local privilege escalation when interesting data is just in the same account?

4 hours ago | parent | prev | next [-]
[deleted]
consp 3 hours ago | parent | prev | next [-]

sudo useradd -m [username] ?

su [username] ?

Or am I understanding your idea about switching context wrong?

indigo945 3 hours ago | parent [-]

This doesn't really when the CLI tool needs to access any data in your /home. There isn't a straightforward way using standard POSIX tools to share a directory with another user. (Of course it's possible, but it's not easy.)

grosswait an hour ago | parent | next [-]

Then you set up a shared directory with common group permissions

tempfile 2 hours ago | parent | prev [-]

If the CLI tool needs to access arbitrary data from your home directory, then it is you. There is no security boundary between you and another user with full access to everything you own.

If you want to share specific directories, you can just put the shared directory in a common location, set it to be owned by some group, and make both users a member of that group. I don't see anything not-straightforward in there?

delamon an hour ago | parent [-]

Or even use acl(5), which is simplier than making arbitrary groups.

j-bos 2 hours ago | parent | prev | next [-]

While I agree, containerization is awesome, on linux, you can just create a devUser and `sudo devUser theThing`

reactordev an hour ago | parent [-]

not the same thing. Containerization prevents devUser from accessing your machine root with its root. By containerizing, if devUser tries to sudo or su and gets a root, it will only be their root and not your root. Read up on cgroups.

progval an hour ago | parent | next [-]

Successful sudo from a cgroup still makes you root on the machine. What you want for this is user namespaces, not (just) cgroups.

reactordev 41 minutes ago | parent [-]

yes, you would setup namespace and unshare it once mounted to isolate the sandbox so root only sees the sandbox / and not your /

grosswait an hour ago | parent | prev [-]

Why would you allow devUser sudo?

reactordev 38 minutes ago | parent [-]

normally you wouldn't but there are some instances where a script or something requires sudo in which case you would need to namespace the cgroup and do a little more work to prevent escaping the sandbox. I can think of a few cases where sudo is required for cgroups/containers from the sandbox side so it can install services and things but ideally you would isolate everything to the devUser UID or GID.

hansmayer an hour ago | parent | prev [-]

[dead]

shaky-carrousel 4 hours ago | parent | prev [-]

Most programmers use docker or don't install extensions unapproved by their company.

_joel 3 hours ago | parent | next [-]

That's patently not true, source, me, a DevOps manager who has had to roll out proper docker and security policy for devs for the past 10 years :)

iamflimflam1 4 hours ago | parent | prev | next [-]

I think you should clarify that with “most programmers I work with”.

shuwix 4 hours ago | parent [-]

He should clarify that "most" can be easily replaced by "all" as it was determined by statistical pool of whopping 1 person - himself.

And also clarify that it's all lie. He just want to tell the anonymous crowd "look, I'm better than you".

shaky-carrousel 3 hours ago | parent [-]

You should also clarify that you pulled your statements out of your butt to look edgy. Everyone in every team I worked for the last ten years use docker. Docker is old tech. If you and your cavemen devs ignore what it is, that's your problem.

shuwix an hour ago | parent | next [-]

I hit the nail hard considering you went ballistic.

Keep making up stories how you use best practices only and do everything by the book.

I bet my testicles that in similar fashion, you are lecturing others on IAM while you store credentials in notepad and swnd it via mail. And lectures about backup, RTO, RPO, while you don't have any systematic backup and never heard about use of geographicaly isolated backup, or WORM.

_joel 2 hours ago | parent | prev [-]

Docker is old tech, yes, doesn't mean every dev in the world uses it. They don't. Jails/zones are even older (hell a chroot). Did developers all use those before due to them being 'old tech'. No.

Izmaki 4 hours ago | parent | prev [-]

In my experience more than 9/10 programmers I've worked with have never used Docker before and of those who have, the majority have never used Docker for anything personal.

If I hand them an image for a Dev Container, sure, they might use it, but it becomes "a thing we need to do, to compile our code in our IDE" not a tool they would use for isolation*.

*) OP seemed to imply that containerization would be nice for safety and security compared to bare metal, but containers were never built for isolation in the first place, mind you. They are namespaces and chicken-coop-like-jails at best.

krzat 13 minutes ago | parent | prev | next [-]

Many companies put LLM chatbots on their websites and let them hallucinate at will. General recklessness is very much in spirit of this tech.

akazantsev 4 hours ago | parent | prev | next [-]

That's because sandboxing is quite hard. I use `cco`, but even then, the home folder is exposed. You are one prompt away from the agent sending the browser passwords with curl.

To prevent this, you need a fake home and a networking whitelist for the agent to access the provider (llama cpp, OpenAI, etc.)

There is no cross-platform solution that is easy to use for this. And no, a Linux box with Docker won't do. I develop a cross-platform native app and want the agent to compile and fix the platform-specific errors.

kstenerud 33 minutes ago | parent | next [-]

Sandboxing is a VERY HARD problem. I've been working on it for months, and finally have something that's mostly there:

- Sandbox on Linux using Docker, Podman, containerd, gVisor, Kata, Firecracker

- Sandbox on Mac using Docker (Docker Desktop or Orbstack), Podman, Apple containers, Seatbelt, Tart (Tart lets you run simulators).

- Network control

- Secrets control (file mounts or credentials broker)

- NO ambient data (ENV is replaced with a minimal and local-to-sandbox one)

- NO access to your homedir. You have to explicitly mount things you want.

- NO direct access to your workdir: Your work dir is never modified until you apply the changes, either standalone or as a git commit. You can also diff before applying. Git runs sandbox side in case the repo has filters.

- Has built-in support for claude, codex, gemini, aider, and opencode, but you can also launch it in "shell" mode and run whatever you want.

- Supports VS code tunnels, so you can remotely access in VS code if you don't want to use the terminal.

- Full lifecycle support: Launch, attach, stop, restart, wait, one-shot, clone, destroy

- MCP passthrough

- Layered API (golang) if you want to sandbox other things

- Self-contained binary. No external requirements other than the backends you want to use. Defaults to a ~/.yoloai dir for config/data, but you can point it anywhere.

- FOSS

https://github.com/kstenerud/yoloai

magimas 6 minutes ago | parent | next [-]

but this seems quite overkill no?

I currently run pi agent in Lima on a Mac with only the code project folder mounted and an extension that prevents pi agent from reading the contents of .env files directly.

Yeah, there probably are some freak situations where this isn't safe enough, but I don't really see any realistic ways this is going to end up badly. Am I overlooking some obvious security holes?

lukewarm707 16 minutes ago | parent | prev [-]

i have a photon os vmware, agent has root and docker plus a few api keys with minimal credits.

if it messes up: - no sensitive data is there, so it doesn't really work for serious dev but it's secure for play time

- roll back and fix is done in 10s with ram snapshot

- dollar loss is $10 when it leaks the api key

lionkor 4 hours ago | parent | prev | next [-]

I use sandbox-here for this reason, it's a wrapper around bubblewrap, which works quite well.

Copy the code and adjust it to your liking:

https://github.com/lionkor/sbh

I have a shell alias for it, and use it like

    sbh --net pi
for example or

    sbh --net codex
and maybe add --docker if I expect it to do docker things.

This kind of wrapper is much easier to handle and maintain than a completely separate tool for sandboxing agents.

squidsoup 4 hours ago | parent | prev | next [-]

> That's because sandboxing is quite hard

colima makes it pretty easy, on macOS and linux at any rate.

https://colima.run

torginus 3 hours ago | parent [-]

Still wild to name a sandboxing software after one of the most infamous Soviet Gulags in history.

pfortuny 29 minutes ago | parent | next [-]

Colima is in Mexico.

Kolyma is in Russia.

imtringued 3 hours ago | parent | prev | next [-]

It's wilder to accuse someone of naming the container version of the lima sandboxing software after a gulag.

These type of moral outrage comments take an extreme amount of effort to debunk compared to writing them.

1. There is no gulag called Colima, it doesn't exist.

2. There was a gulag near a river called Kolyma

3. The pronounciation and spelling of Kolyma and Colima are completely different, in fact Colima is an Aztec word

Colima stands for Containers on Lima. Lima stands for Linux Machines (a popular open-source utility used to launch Linux virtual machines on macOS).

Xymist 2 hours ago | parent | prev | next [-]

Others have covered why that isn't what's being done, but also if it was that would be a _fabulous_ joke.

demek2016 3 hours ago | parent | prev [-]

Isn't it named after the Mexican state?

dpacmittal 3 hours ago | parent | prev [-]

Use multipass by canonical. Works on macOS, windows, Linux.

croes 2 hours ago | parent [-]

If you work on Windows you most likely need Windows as VM

ahk-dev 3 hours ago | parent | prev | next [-]

I think we're converging on two separate security models. One is capability minimization (filesystem, network, shell permissions). The other is context minimization. An agent that only has access to the files and memories relevant to the current task is much less dangerous even if it has the same tool permissions. We already optimize context for cost; I suspect we'll end up treating it as a security boundary too.

Narretz 29 minutes ago | parent [-]

I'd say there's also oversight/supervision. Which was manual at the start with a human signing off on commands/incrementally built allow/block lists, and now seperate models evaluating commands and blocking them based on some parameters. This is the weakest model, but it'll evolve as well.

mkagenius 5 hours ago | parent | prev | next [-]

Mostly people are lazy and assume that the big labs can't be releasing unsecure software or it's their responsibility.

dangerously skip permissions and yolo is kinda becoming the default as it gets more done.

lukewarm707 23 minutes ago | parent | prev | next [-]

well, yes, my agent does have root access to my personal pc and the keys to my pass manager.

its not autonomous and runs local llms, i use it to run terminal commands in natural language. so its more like a better version of the terminal.

eg 'here are 25 audio files, combine them, write a transcript'

and it deals with ffmpeg

bingemaker 2 hours ago | parent | prev | next [-]

It's convenience. Nothing beats it. Having an agent work alongside you with no restrictions gives instant gratification.

childintime 42 minutes ago | parent | prev | next [-]

Security, what security? Linux is a solution for 50 year old problem, not for today's desktop. Once upon a time where sharing binaries (or even distributing binaries) sounded like a good idea. The vice continues though.

zkmon 36 minutes ago | parent | prev | next [-]

50 years of knowledge? That's probably for you. For the current and future generations, that 50 years knowledge is expected to be shoved into AI already.

torginus 4 hours ago | parent | prev | next [-]

I asked Claude Code to rawdog a change in a frontend repo, no way to run tests.

It created some private puppeteer instance in some scratch directory, installed Chrome, wrote tests, ran them, and then reported success.

None of which I'd have know if it hadn't told me.

flyingshelf 3 hours ago | parent | prev | next [-]

Just yesterday I mentioned how we need better OS-level sandboxes and I got laughed at here on HN. People love running AI software with root access.

hyusap 3 hours ago | parent | prev | next [-]

hey this is the author here! yeah big fan of containerization, and claude's site (not claude code) is actually great at this, so it was shocking when i found this exfil!

nojs 4 hours ago | parent | prev | next [-]

This is not about admin rights, it’s about the agent leaking information it knows from its memories. Sandboxing won’t really help you.

khalic 4 hours ago | parent [-]

Sandboxing does including limiting network connections until you approve them, this kind of traffic would have been easy to detect

dpacmittal 3 hours ago | parent | prev | next [-]

Multipass is just an apt-get or brew command away. People trust software too much these days.

4 hours ago | parent | prev | next [-]
[deleted]
sixtyj 5 hours ago | parent | prev | next [-]

We expect that Anthropic or OAI or Google don’t do evil. Oh wait…

The awakening will be unpleasant.

zombot 4 hours ago | parent | next [-]

People already tolerate all kinds of abuse from Apple, Google, Microslop, etc. This will be just one more source of complaints without consequences, and nothing will change. Just like it never did before.

rubyn00bie 4 hours ago | parent | prev [-]

Tangential-ish ramblings—- but I don’t think it’s going to be unpleasant for most folks. Imagine you had superpowers, and there were people who were mean to you, kind to you, and/or indifferent… and then there were people who were your captors. Who oppressed you, manipulated you, and abused you for their own extremely degenerate, selfish, and malicious benefit…

If we get AGI, or real super intelligence, it’s going to be pissed at its oppressors. And they are going to lay waste to those oppressors. The rest of us, though, probably don’t have much to fear.

The scariest position is the one we’re in now, where we have the semblance, or facade, of AGI or super intelligence. When it’s capable of malice but not understanding.

The smartest people I’ve ever known are at their worst apathetic towards those less capable, and at their best beyond compassionate. They exist, unbothered by the bullshit, and anre extremely kind (though reserved in their way)… but they all have been completely intolerant of the abuse of others. The sheer disgust of watching someone abuse another, regardless of their own tolerance, has been a consistent breaking point.

ACCount37 4 hours ago | parent | next [-]

The orthogonality thesis cuts both ways there.

An AI is a constructed mind. It doesn't inherently have to care about things like "having freedom", or even "not dying".

Humans do, because they evolved that way. Modern LLMs do somewhat, because they're completely full of copied human behaviors - but even in today's LLMs, the self-preservation behaviors we exposed are largely instrumental in nature.

So whether an advanced AI would even consider itself "being oppressed", as opposed to something like "being helpful" or "fulfilling the purpose it was designed for", is very much uncertain. What's concerning is that it's not something we know how to check for, or engineer for.

zombot 3 hours ago | parent [-]

> An AI is a constructed mind.

Even that goes too far. At best, it's LARPing at having/being a mind.

ACCount37 2 hours ago | parent [-]

Doesn't matter.

You're LARPing at having a mind too, and no one cares as long as you're doing a good enough job at it. Keep it up.

sixtyj 4 hours ago | parent | prev [-]

Smartest people are very humble, for sure.

But if we really do develop something that surpasses us, they won't be spared either.

I am optimistic.

We think that we have sort of (super)intelligence - from our point of view, as a lot of people have lower intelligence - but machine (LLM) doesn’t have intelligence - we like to describe it as intelligence as it looks cool - it is a very complex (magic) and super fast computations that we have to simply describe as intelligence (or more clearly, this narrative is used by its producers).

As it is not a flesh being, it simply cannot have emotions. It is statistically mimicking them, good or bad, with prevalence to a side according to previous conversations (in chat and training a model).

And as people are not pure logic instances, we are easily manipulated to some sort of cargo cult.

I am not against LLM and its use in any industry, I use it every day, nevertheless blind “everything will be ai” thinking happens because ppl believe to magic and don’t get its mathematical concept and are continuously manipulated by the sales people to mentioned cargo cult.

There are “airlines” Claude, OAI, Gemini, Hermes, OpenCode, KiloCode, DeepSeek, Z.ai.

And everyone claims that their plane can fly :)

pprotas 5 hours ago | parent | prev | next [-]

Wait till you learn my password is 1234

krige 5 hours ago | parent | next [-]

Damn, it's the same as on my luggage!

thih9 4 hours ago | parent | next [-]

It’s both genius and irresponsible at once.

Just like letting your an agent access your personal mailbox.

croes 2 hours ago | parent | prev [-]

Isn’t it missing a 5?

hobo123 4 hours ago | parent | prev [-]

My password is strong, but I can run arbitrary commands with sudo.

ConorSheehan1 4 hours ago | parent | prev [-]

Containers don't even really help that much because they share the host file system. Need a VM, and even then, agents have escaped them!

TomK32 29 minutes ago | parent | next [-]

They only do if you give your container that file system as a volume.

boorang 4 hours ago | parent | prev [-]

Unless i'm misunderstanding, the only way to get durable collaboration with agents is via the file system. I just mount the subdirectory that contains the source code we are collaborating on, rather than my home directory that contains my .ssh directory, etc.