Comment by khalic
3 days ago
Why would you give a non-deterministic text generator a user account? It’s not a person, it’s barely a tool at the software level. Restrict at the right level, in this case, a complete sandbox around it given its propensity to hallucinate and be steered by anybody.
What kind of logic is this? It's standard in the Linux world to give important services a separate user domain.
The standard here is not enough when the agent can escalate by finding 0 days, for example. It’s like giving a black hat a limited account. Sure it might restrict him, but not giving him an account at all is way better
The black hat can find 0-day escalation in your sandbox, too.
A user account is a sandbox.
3 replies →
Unix users are THE tool to restrict tool permissions, at any given time there's 20+ services on a Unix machine that run in their user.
And how many of those services can check your box and find permission escalation strategies on its own?
Malware has been bundling rootkits for decades, so potentially all of them. Sometimes the attacks succeed, so these are defenses that need continual hardening, but there's no sense in setting up an entirely separate line of defense just because this time the threat has AI in it.
1 reply →
Same reason people give postgres, php, or any other program a user account.
Why should it be? We have containers and capabilities…
Containers are often used with user namespaces, which is literally another (set of) user account(s).
1 reply →
...this is a completely normal thing to do in linux, it's the most basic form of access control. There's like a dozen non-human accounts in a clean install before adding your own like this, and a lot of software adds their own. Edit: I have 54 entries on my personal laptop, just one of which is actually me.
He said it’s less than a software, so saying software does this too isn’t really a strong counter argument. In case, I don’t think you are really in disagreement. Restricted accounts are necessary is your point, but I think op is saying they aren’t sufficient.
One of the default users is "nobody" which isn't associated with any software. It's definitely above that.
1 reply →
Even though it’s completely normal to us and in widespread use, GP is a reminder that conceptually it’s a broken model. Security should be capability-based not user-based. And to anyone who didn’t grow up on a desktop this model makes complete sense since it’s what your phone uses.
Android uses one uid per app.
1 reply →
This model is already not perfect, and not at all built for agents. The only way to secure an agent is an air-gap with the execution layer. Treat it like text, and the problem never arises until you “interpret” the agent output in a more limited environment than the OS
i give a lot of software dedicated user accounts, it's literally one of the core security models of the operating system
But none of these services have the kind of latent capabilities an agent has, you know a deterministic service’s constraint are its code+bugs. There are no such constraints in an agent…
Congratulations! You are this thread’s winner of the UUOC award!
[flagged]
/etc/shadow has the good stuff if you're OS is current.