upvote

points

by lelandfe6 hours ago |
comments
upvoteby martylamb5 hours ago|
next
[-]
Yes. I found this quickly after wrapping codex in a launcher that uses bubblewrap to exclude certain files and directories based on a config file at the project root. My best solution so far is to also include instructions for the agent that explain that it is not allowed to see certain files, and that their inaccessibility is not an error, and that it must not attempt to access them through other means (e.g. via git history, etc.).

This has been a major improvement, but it's not foolproof.

reply
upvoteby cowsandmilk6 hours ago|
prev|
next
[-]
If you’re already running codex as a different user to limit its file permissions, why would you add it to the docker group?
reply
upvoteby lelandfe6 hours ago|
parent|
next
[-]
A good but altogether separate note from the point I’m making: this lack of access is seen as an obstacle to overcome, and other means of access will be tried if available.

It’s a different mental model than a first party solution to “ignore” files.

reply
upvoteby TheDong5 hours ago|
parent|
[-]
Weirdly, the existing first party solutions around denying commands don't seem to help here.

Often enough, when one of the agents prompts for running "sudo", and I reject it, it will do what looks very much like malicious exploration to figure out how to handle things anyway, including once hijacking a separate shell's pty where I did have a valid sudo session already in order to execute some commands.

We don't yet have the capability to make these models behave in a consistent, deterministic, or safe manner yet, so a first party solution isn't even necessarily that much better. Especially if it gives a false sense of security.

reply
upvoteby jen206 hours ago|
parent|
prev|
[-]
Lack of knowledge and the desire to have it run containers for things.
reply
upvoteby amelius6 hours ago|
prev|
[-]
Yes. Any sane IT department would not allow external AI services, only local ones. It is just too easy for your company's data to end up on the wrong servers. If not through faulty file permissions, then through employees who simply post company ideas.
reply
upvoteby brookst5 hours ago|
parent|
next
[-]
Or just have a corporate contract that provides assurances.

Though really I’m skeptical that much corporate info is secret for competitive or privacy reasons.

Mostly it seems to be for liability / discovery reasons. Which are still legit of course, but ideas are a dime a dozen and every company has more than they know what to do with. It’s the resourcing and execution that are hard.

reply
upvoteby amelius5 hours ago|
parent|
[-]
> Or just have a corporate contract that provides assurances.

After the massive copyright infringements and recent "who care's about the law anyway" stance of corporate America, trusting this could be a grand mistake.

reply
upvoteby brookst5 hours ago|
parent|
[-]
It’s a risk. But odds are the upsides from the legal settlements would far outweigh the losses from your super secret memos about q3 budget planning being trained on.

Just treat it like a contract worker. They may violate their NDA. That doesn’t mean you never use any for any purpose ever. It’s a risk that’s been managed since before computers.

reply
upvoteby SoftTalker5 hours ago|
parent|
prev|
[-]
Yet many use public github, and human developers accidently push secrets and other "not for public" files all the time.
reply
upvoteby amelius2 hours ago|
parent|
[-]
Exactly proving the point.
reply