HN

Comments (116)

• sanskritical
  How long until agents begin routinely abusing local privilege escalation bugs to break out of containers? I bet if you tell them explicitly not to do so it increases the likelihood that they do.
• Menu

  AnotherGoodName
  Add this to .claude/settings.json: { "sandbox": { "enabled": true, "filesystem": { "allowRead": ["."], "denyRead": ["~/"], "allowWrite": ["."], "denyWrite": ["/"] } } } You can change the read part if you're ok with it reading outside. This feature was only added 10 days ago fwiw but it's great and pretty much this.
• Menu

  puttycat
  I am still amazed that people so easily accepted installing these agents on private machines.We've been securing our systems in all ways possible for decades and then one day just said: oh hello unpredictable, unreliable, Turing-complete software that can exfiltrate and corrupt data in infinite unknown ways -- here's the keys, go wild.
• Menu

  andai
  This looks great and seems very well thought out.It looks both more convenient and slightly more secure than my solution, which is that I just give them a separate user.Agents can nuke the "agent" homedir but cannot read or write mine.I did put my own user in the agent group, so that I can read and write the agent homedir.It's a little fiddly though (sometimes the wrong permissions get set, so I have a script that fixes it), and keeping track of which user a terminal is running as is a bit annoying and error prone.---But the best solution I found is "just give it a laptop." Completely forget OS and software solutions, and just get a separate machine!That's more convenient than switching users, and also "physically on another machine" is hard to beat in terms of security :)It's analogous to the mac mini thing, except that old ThinkPads are pretty cheap. (I got this one for $50!)
• Menu

  ray_v
  I'm wondering if the obvious (and stated) fact that the site was vibe-coded - detracts from the fact that this tool was hand written.> jai itself was hand implemented by a Stanford computer science professor with decades of C++ and Unix/linux experience. (https://jai.scs.stanford.edu/faq.html#was-jai-written-by-an-...)
• gpm
  This is a cool solution... I have a simpler one, though likely inferior for many purposes..Run <ai tool of your choice> under its own user account via ssh. Bind mount project directories into its home directory when you want it to be able to read them. Mount command looks like sudo mkdir /home/<ai-user>/<dir-name> sudo mount --bind <dir to mount> --map-groups $(id -g <user>):$(id -g <ai-user>):1 --map-users $(id -u <user>):$(id -u <ai-user>):1 /home/<ai-user>/<dir-name> I particularly use this with vscode's ssh remotes.
• Menu

  BoppreH
  Excellent project, unfortunate title. I almost didn't click on it.I like the tradeoff offered: full access to the current directory, read-only access to the rest, copy-on-write for the home directory. With stricter modes to (presumably) protect against data exfiltration too. It really feels like it should be the default for agent systems.
• gurachek
  The examples in the article are all big scary wipes, But I think the more common damage is way smaller and harder to notice.I've been using claude code daily for months and the worst thing that happened wasnt a wipe(yet). It needed to save an svg file so it created a /public/blog/ folder. Which meant Apache started serving that real directory instead of routing /blog. My blog just 404'd and I spent like an hour debugging before I figured it out. Nothing got deleted and it's not a permission problem, the agent just put a file in a place that made sense to it.jai would help with the rm -rf cases for sure but this kind of thing is harder to catch because its not a permissions problem, the agent just doesn't know what a web server is.
• Menu

  rsyring
  I've been reviewing Agent sandboxing solutions recently and it occurred to me there is a gaping vector for persistent exploits for tools that let the agent write to the project directory. Like this one does.I had originally thought this would ok as we could review everything in the git diff. But, it later occurred to me that there are all kinds of files that the agent could write to that I'd end up executing, as the developer, outside the sandbox. Every .pyc file for instance, files in .venv , .git hook files.ChatGPT[1] confirms the underlying exploit vectors and also that there isn't much discussion of them in the context of agent sandboxing tools.My conclusion from that is the only truly safe sandboxing technique would be one that transfers files from the sandbox to the dev's machine through some kind of git patch or similar. I.e. the file can only transfer if it's in version control and, therefore presumably, has been reviewed by the dev before transfer outside the sandbox.I'd really like to see people talking more about this. The solution isn't that hard, keep CWD as an overlay and transfer in-container modified files through a proxy of some kind that filters out any file not in git and maybe some that are but are known to be potentially dangerous (bin files). Obviously, there would need to be some kind of configuration option here.1: https://chatgpt.com/share/69c3ec10-0e40-832a-b905-31736d8a34...
• gck1
  It's full VM or nothing.I want AI to have full and unrestricted access to the OS. I don't want to babysit it and approve every command. Everything that is on that VM is a fair game and the VM image is backed up regularly from outside.This is the only way.
• Menu

  adi_kurian
  Claude's stock unprompted / uninspired UI code creates carbon clone components. That "jai is not a promise of perfect safety" callout box is like the em dash of FE code. The contrast, or lack thereof, makes some of the text particularly invisible.I wonder if shitty looking websites and unambitious grammar will become how we prove we are human soon.
• Menu

  stavros
  I'd really like to try this, but building it is impossible. C++ is such a pain to build with the "`make`; hunt for the dependency that failed; `apt-get install whatever-dev`; goto make" loop...Please release binaries if you're making a utility :(
• e1g
  For jailing local agents on a Mac, I made Agent Safehouse - it works for any agent and has many sane default for developers https://agent-safehouse.dev
• Menu

  triilman
  What would Jonathan Blow think about this.
• Menu

  mazieres
  What would it take for people to stop recklessly running unconstrained AI agents on machines they actually care about? A Stanford researcher thinks the answer is a new lightweight Linux container system that you don't have to configure or think about.
• jbverschoor
  Interesting take on the same problemI created https://github.com/jrz/container-shell which basically launches a persistent interactive shell using docker, chrooted to the CWDCWD is bind mounted so the rest is simply not visible and you can still install anything you want.
• justinde
  .claude/settings.json: { "sandbox": { "enabled": true, "filesystem": { "allowRead": ["."], "denyRead": ["~/"], "allowWrite": ["."] } } }Use it! :) https://code.claude.com/docs/en/sandboxing
• mbreese
  This still is running in an isolated container, right?Ignoring the confidentiality arguments posed here, I can’t help to think about snapshotting filesystems in this context. Wouldn’t something like ZFS be an obvious solution to an agent deleting or wildly changing files? That wouldn’t protect against all issue the authors are trying to address, but it seems like an easy safeguard against some of the problems people face with agents.
• Waterluvian
  Are mass file deletions as result of some plausible “I see why it would have done that” or will it just completely randomly execute commands that really have nothing to do with the immediate goal?
• Menu

  schaefer
  Ugh.The name jai is very taken[1]... names matter.[1]: https://en.wikipedia.org/wiki/Jai_(programming_language)
• Menu

  cozzyd
  Should be named JiaMore seriously, I'm not a heavy agent user, but I just create a user account for the agent with none of my own files or ssh keys or anything like that. Hopefully that's safe enough? I guess the risk is that it figures out a local privilege escalation exploit...
• yalogin
  What if Claude needs me to install some software and hoses my distro. Jai cannot protect there as I am running the script myself
• Jach
  I've done some experimenting with running a local model with ollama and claude code connecting to it and having both in a firejail: https://firejail.wordpress.com/ What they get access to is very limited, and mostly whitelisted.
• waterfisher
  There's nothing wrong with an AI-designed website, but I wish when describing their own projects that HN contributors wrote their own copy. As HN posters are wont to say, writing is thinking...
• simonw
  Suggestion for the FAQ page: does this work on a Mac?
• anon
  undefined
• samchon
  Just allowing Yolo, and sometimes do rolling back
• cozzyd
  Should definitely block .ssh reading too...
• rdevsrex
  This won't cause any confusion with the jai language :)
• faangguyindia
  i just use seatbelt (mac native) in my custom coding agent: supercode
• albert_e
  Can we have a hardware level implementation of git (the idea of files/data having history preserved. Not necessarily all bells and whistles.) ...in a future where storage is cheap.
• Menu

  gonzalohm
  Not sure I understand the problem. Are people just letting AI do anything? I use Claude Code and it asks for permission to run commands, edit files, etc. No need for sandbox
• Menu

  messh
  How is this different than say bubblewrap and others?
• Menu

  KennyBlanken
  This is not some magical new problem. Back your shit up.You have no excuse for "it deleted 15 years of photos, gone, forever."
• samlinnfer
  Now we just need one for every python package.
• avazhi
  The irony is they used an LLM to write the entire (horribly written) text of that webpage.When is HN gonna get a rule against AI/generated slop? Can’t come soon enough.
• kristofferR
  Also recommended:https://github.com/kenryu42/claude-code-safety-net
• charcircuit
  I want agents to modify the file system. I want them to be able to manage my computer if it thinks it's a good idea. If a build fails due to running out of disk space I want it to be able to find appropriate stuff to delete to free up space.
• gerdesj
  Oh dear Lord! (pick your $DEITY)Backups.
• kevinbaiv
  [dead]
• Menu

  drtournier
  GPL v3…