upvote

points

by giancarlostoro17 hours ago |
comments
upvoteby nananana911 hours ago|
next
[-]
Oh, rm failed, since we're running in a weird environment! Let me retry with `bash -c "/usr/bin/rm -rf *"`!
reply
upvoteby throwaway202713 hours ago|
prev|
next
[-]
All of which is useless when it just starts using big blocks of python instead. You need filesystem sandboxing for the python interpreter too.
reply
upvoteby giancarlostoro3 hours ago|
parent|
next
[-]
If you disallow it from just writing Python scripts to bypass its defined environment at its core system training why would this matter? I would lockdown its path anything that tries to call Python should require the end-user to approve and see the raw script before they do.
reply
upvoteby tintor2 hours ago|
parent|
[-]
It will then write script in some other language, as a workaround.
reply
upvoteby ethanwillis13 hours ago|
parent|
prev|
[-]
What we need is a capabilities based security system. It could write all the python, asm, whatever it wants and it wouldn't matter at all if it was never given a reference to use something it shouldn't.
reply
upvoteby ma2kx4 hours ago|
parent|
next
[-]
There exist restricted Shells. But honestly, I don't feel capable of assessing all attack vectors and security measures in sufficient detail. For example, do the rbash restrictions also apply when Python is called with it? Or can the agent somehow bypass rbash to call Python?

https://en.wikipedia.org/wiki/Restricted_shell

reply
upvoteby mcv13 hours ago|
parent|
prev|
next
[-]
Isn't this already possible? Give it its own user account with write access to the project directory and either read access or no access outside it.
reply
upvoteby VorpalWay8 hours ago|
parent|
next
[-]
Unix permissions is not a capability system though. Capabilities are more like "here is a file descriptor pointing to a directory, you are not capable of referring to anything outside it". So closer to chroot, except you can have several such directory references at the same time.

You can always narrow down a capability (get a new capability pointing to a subdirectory or file, or remove the writing capability so it is read only) but never make it more broad.

In a system designed for this it will be used for everything, not just file system. You might have capabilities related to network connections, or IPC to other processes, etc. The latter is especially attractive in microkernel based OSes. (Speaking of which, Redox OS seems to be experimenting with this, just saw an article today about that.)

See also https://en.wikipedia.org/wiki/Capability-based_security

reply
upvoteby 10072110 hours ago|
parent|
prev|
[-]
I have been putting my agents on their own, restricted OS-level user accounts for a while. It works really well for everything I do.

Admittedly, there’s a little more friction and agent confusion sometimes with this setup, but it’s worth the benefit of having zero worries about permissions and security.

reply
upvoteby jmogly9 hours ago|
parent|
[-]
Haha, you can already see wheel reinventors in this thread starting to spin their reinvention wheels. Nice stuff, I run my agents in containers.
reply
upvoteby rienbdj9 hours ago|
parent|
prev|
next
[-]
Docker is enough in practice no?
reply
upvoteby mazieres2 hours ago|
parent|
[-]
[dead]
reply
upvoteby diablevv8 hours ago|
parent|
prev|
[-]
[dead]
reply
upvoteby lxgr11 hours ago|
prev|
next
[-]
> a custom implementation of "rm" that Anthropic can add guardrails to

Wrong layer. You want the deletion to actually be impossible from a privilege perspective, not be made practically harder to the entity that shouldn't delete something.

Claude definitely knows how to reimplement `rm`.

reply
upvoteby torginus10 hours ago|
prev|
next
[-]
Why cant you ship with OverlayFS which actually enforces these restrictions?

I have seen the AI break out of (my admittedly flimsy) guards, like doing simply

safepath/../../stuff or something even more convoluted like symlinks.

reply
upvoteby eru15 hours ago|
prev|
next
[-]
> It's really surprising they don't just tweak what Claude uses and lock it down to where it cannot be harmful. Ensure it only ever calls tooling Claude Code provides.

That would make it far less useful in general.

reply
upvoteby KronisLV14 hours ago|
parent|
[-]
Maybe Anthropic (or some collection of the large AI orgs, like OpenAI and Anthropic and Google coming together) should apply patches on top of (or fork altogether) the coreutils and whatever you normally get in a userland - a bit like what you get in Git Bash on Windows, just with:

1) more guardrails in place

2) maybe more useful error messages that would help LLMs

3) no friction with needing to get any patches upstreamed

External tool calling should still be an option ofc, but having utilities that are usable just like what's in the training data, but with more security guarantees and more useful output that makes what's going on immediately obvious would be great.

reply
upvoteby eru14 hours ago|
parent|
[-]
So for me, it's really, really useful for Claude to be able to send Slack messages and emails or make pull requests.

But that's also the most damaging actions it could take. Everything on my computer is backed up, but if Claude insults my boss, that would be worse.

reply
upvoteby KronisLV10 hours ago|
parent|
[-]
> So for me, it's really, really useful for Claude to be able to send Slack messages and emails or make pull requests.

Oh, I'm totally not arguing for cutting off other capabilities, I like tool use and find it to be as useful as the next person!

Just that the shell tools that will see A LOT of usage have additional guardrails added on top of them, because it's inevitable that sooner or later any given LLM will screw up and pipe the wrong thing in the wrong command - since you already hear horror stories about devs whose entire machines get wiped. Not everyone has proper backups (even though they totally should)!

reply
upvoteby walthamstow14 hours ago|
prev|
next
[-]
Claude has told me that its Grep tool does use rg under the hood, but I constantly find it using the Bash tool with grep
reply
upvoteby giancarlostoro3 hours ago|
parent|
[-]
When I tell it to use rg it goes much faster than it using grep. I really don't understand why its slower with grep.
reply
upvoteby oefrha16 hours ago|
prev|
next
[-]
You can define your own rm shell alias/function and it will use that. I also have cp/mv aliases that forces -i to avoid accidental clobbering and it confuses Claude to no end (it uses cp/mv rare enough—rarer than it should, really—that I don’t bother wasting memory tokens on it).
reply
upvoteby d1sxeyes16 hours ago|
parent|
[-]
I did this, Claude detected it and decided to run /bin/rm directly.
reply
upvoteby cogogo11 hours ago|
parent|
next
[-]
This is terrifying. I have not used agents because I do not have a sandbox machine I do not care about. Am I crazy to worry about a sandboxed agent running on my home network? Anyone experienced anything weird by doing that?
reply
upvoteby oefrha11 hours ago|
parent|
[-]
Don’t dangerously skip permissions and actually read commands when you get prompted and you’re fine.
reply
upvoteby d1sxeyes11 hours ago|
parent|
[-]
Yeah, I actually have both an alias for `rm` and a custom seatbelt sandbox which means the agent can only delete stuff within the directory it’s working in, so wasn’t an issue, was just fun to watch it say “hm, that doesn’t seem to work. Looks like the user has aliased rm. I’ll just go ahead and work around it”
reply
upvoteby cestivan15 hours ago|
parent|
prev|
[-]
[dead]
reply
upvoteby troupo14 hours ago|
prev|
[-]
> Claude should be shipped by a custom implementation of

And when that fails for some reason it will happily write and execute a Python script bypassing all those custom tools

reply