TheDong
11 hours ago
You can do this now: change the file permissions such that the user you run codex as can't read them, or run codex in a container without those files mounted.
If you don't do that, the agent will be able to incidentally upload them. What if the model runs "rg foo", and one of those files contains the string "foo"? It uploads the tool output, which includes the file contents.
And so, the only solution is to make it so the codex process is unable to access those files, hence using a container, or unix permissions, or deleting the files. Which you can already do.
I imagine this isn't resolved primarily because people expect it to apply to bash tool use, not just the "read" and "edit" tools, and people also expect those files to still be accessible i.e. if the agent invokes "make", which makes it impossible to solve perfectly.
cowsandmilk
11 hours ago
100% this. The idea that Codex should enforce this is putting the security boundary at the wrong layer. If you don’t want codes to access something, make it so it doesn’t have access.
embedding-shape
10 hours ago
The Codex bug tracker is a great insight into how wide the knowledge gap seem to be between users. The issue where people ask them to add back /undo or whatever it is instead of just learning to use git, probably reached 100 comments at least by now. People seemingly don't really understand the computers they use on a daily basis, and refuse to learn too.
tern
9 hours ago
I suspect most people don't even know there's a there there.
For instance, while I now know that file systems have permissions, before I became a programmer, I spent maybe ten years thinking of permissions as a special, obscure system thing that you should never touch.
For that matter, I suspect many people don't know basic things like that a file system isn't inherently the operating system.
And, where would you go to learn this information? Your Mac doesn't ship with a manual—how would you know one exists? Furthermore, I would wager that perhaps most people have never learned how anything works requiring a manual and are simply unaware that that's a thing.
All to say, I'm not sure "refusal" is the right term.
tingletech
8 hours ago
When I was an undergraduate biology student in 1991 a suitemate told me I should go to some desk in some building over by Muir and get an account on the VAX. There were strange rooms all over campus that were open 24/7 and were loaded with green and amber screen terminals with integrated keyboards. Lots of sessions for CS lectures were held in these rooms and there was always interesting notes on the white boards (most rooms still had black boards or green boards, but think the chalk was too dusty so these rooms usually had the white boards.
Once I saw an instruction that was circled with an arrow pointing to is that said:
man man
man -k -or- apropos
I just typed `man man` in a terminal on my Mac, and luckily its still there.
atomicnumber3
8 hours ago
We managed to generate probably-correct code, which can then be probably-corrected recursively to get to something that runs (usually).
This made everyone scream and lose their minds saying that code is finished, people think they don't need a technical cofounder anymore, think they don't need engineers anymore, etc. Then they're, at varying speeds, finding out they're wrong.
It seems oddly circular to me that the _exact hubris_ non-engineers have long accused engineers of - and we have indeed been too often guilty of - they themselves turn out to be JUST as guilty of! Just like engineers thought all sales did was bother people, and all marketing did was send emails, and all support did was tell people to turn it off and on again, and all product did was copy google... they all apparently thought all engineers did was tik-tak-click-clack type code all day and when it compiled it was done. Not knowing how much higher-order... well, engineering, there is to it.
Where are all the CTOs during all of this? I thought someone was supposed to be sticking up for their org? Sales, marketing, etc all seem to have entrenched C-suite people keeping their fiefdoms resistant to erosion by outsourcing, downsizing, etc. But all our CTOs seems to have collectively thrown us to the wolves.
aleph_minus_one
8 hours ago
> It seems oddly circular to me that the _exact hubris_ non-engineers have long accused engineers of - and we have indeed been too often guilty of - they themselves turn out to be JUST as guilty of!
I have hardly ever seen this kind of hubris among software developers. The only thing that was common was many software developers were - let's say - somewhat direct in their feedback towards people who are not willing to learn.
I thus rather have the feeling that this kind of accusation of hubris towards software developers rather originates in business people projecting their own overconfidence (hubris) onto software developers.
akoboldfrying
an hour ago
> I have hardly ever seen this kind of hubris among software developers.
Dilbert's entire schtick is the profound ineptitude of "business people".
cataphract
7 hours ago
That is not a fault that's specific to engineers. Lots of smart lawyers think they can learn basically anything over a weekend of hard study. It's probably a blind spot of intelligent people.
kgwgk
5 hours ago
blamemods4accnt
4 hours ago
In my limited experience CTOs rarely get a seat at the big boys table, they mostly just take matching orders from the CEO, CFO, and sometimes sales.
dijksterhuis
an hour ago
> Just like engineers thought all sales did was bother people, and all marketing did was send emails
i mean, sure, the marketing one may be a bit simplified as the emails also need to have pretty pictures in them. and yeah, sure, sales people do need to find the people they’ll eventually start bothering later.
/s
> But all our CTOs seems to have collectively thrown us to the wolves.
the kind of person who usually finds their way into the executive class doesn’t get there by looking after those under them. they get there by avoiding blame and taking credit.
which, funnily enough, is exactly what a hype cycle is all about.
laweijfmvo
4 hours ago
huh, but what if the AI trashes my git repo? maybe it just deletes the .git folder entirely. a deterministic undo wouldn’t be the silliest feature, for the current definition of “AI”.
pamcake
2 hours ago
The answer is the same: You give it either read-only or its own copy separate from the one you care about.
The requested feature wouldn't be a robust solution here either for the same reasons.
Besides, have you noticed the amount of other amateur-hour bugs anf jank in Codex going for weeks or months without proper resolution? Given that, why would you want and trust their solution here over alternatives, specifically?
mirashii
4 hours ago
The default sandboxing for Codex does not allow the agent to access .git
valleyer
3 hours ago
I think this is what you meant, but just to clarify: it doesn't allow it to write to .git. Read access is allowed.
fragmede
8 hours ago
The knowledge gap is very real. Because unsavvy users are just going to paste the API key into codex and say "make it work". For the truly lazy/uninformed, codex has computer use, and are going to tell it go into Vercel/Netlify/Stripe/Cloudflare for them, and get the API key, and save it to .env for them. So users knowing they need such a feature in the first place should be celebrated when the alternative is even dumber.
wonnage
7 hours ago
I mean based on all the "coding is solved" hype that's what these companies are aiming for
LtWorf
8 hours ago
That's the product that is being sold here… why shame the users for expecting what was marketed to them?
MattDamonSpace
10 hours ago
Not sure I agree?
It’s not like gitignore should be independent from git
TheDong
10 hours ago
The difference is that git is a traditional programming tool which executes deterministically.
agents are not deterministic tools, they're not sandboxes or container runtimes or languages with capabilities models.
They're a way to run arbitrary commands.
It would be like saying that "xterm" should have a ".xtermnoexec" list of commands you can't run, or that VLC should have an option for actors it won't show.
terminals run shells which run commands, it's not really deeply aware of what commands your shell ultimately run, and it's not in xterm's job to setup a sandbox and strip out executables.
VLC displays pixels, it's not up to it to figure out if those pixels are a certain actor.
codex pipes text and tool calls back and forth between OpenAI's servers, and it barely understands what that text and those tool calls are, and especially if a given tool touched a file. If you want VLC to not display an actor, you need to add a layer on top of VLC to stop it displaying a list of movies. If you want codex to not display a file's contents, you need a layer on top of codex to prevent it going near that file.
dns_snek
8 hours ago
> they're not sandboxes
Yes they can be, and Codex offers one. It uses Bubblewrap and seccomp on Linux which are perfectly capable of restricting filesystem access.
In a default setup every command is executed inside a restrictive sandbox and you're only asked for permission to run that command if the execution fails.
I don't necessarily think that it's a good idea to rely on these sandboxes as your only line of defense but that's absolutely a feature that they can, should, and do offer.
SoftTalker
9 hours ago
bash actually has a "restricted" mode which is sort of like that. In restricted mode, the following are disallowed:
- Changing directories with cd.
- Setting or unsetting the values of SHELL, PATH, HISTFILE, ENV, or BASH_ENV.
- Specifying command names containing /.
- Importing function definitions from the shell environment at startup.
- Parsing the values of BASHOPTS and SHELLOPTS from the shell environment at startup.
... some other things mainly preventing you from escaping or disabling the restricted mode.
8organicbits
9 hours ago
Does that work? I've never seen it used. It seems easy to escape.
The docs seem to suggest using alternate approaches.
> Modern systems provide more secure ways to implement a restricted environment, such as jails, zones, or containers.
https://www.gnu.org/software/bash/manual/html_node/The-Restr...
SoftTalker
9 hours ago
I don't think I've ever seen it used. I think the idea was back in the day when you wanted to let a user have a shell login (because that's the only way you could use a shared computer) but wanted to confine them to a specific directory and prevent them running anything that wasn't in the pre-defined PATH that you set for them.
4ndrewl
an hour ago
Back in the day we'd use chroot to achieve something similar
tingletech
7 hours ago
You could also produce special purpose applications this way, say to provide access to the online library catalog, or a run a gopher client for use in a public terminal lab. Telnetting to a unix account running some sort of restricted shell was how these often worked.
A sibling comment I can't reply to asks if you can do with with unix permissions.
These were really intended for anonymous guest access, or at least often used for this purpose. You couldn't do the same things with the file permissions systems at the time.
ryoshu
8 hours ago
Can't you do that with regular Unix permissions?
jxf
10 hours ago
.gitignore doesn't have the same security implications.
If you fail to prevent a private key from being added to your repository, you can reverse this and purge it from the blobs and reflog as if it never happened.
If you fail to prevent OpenAI from ingesting a private key, you have created a security incident.
tmp10423288442
7 hours ago
> If you fail to prevent a private key from being added to your repository, you can reverse this and purge it from the blobs and reflog as if it never happened.
Only if you’re absolutely sure that it’s never been pushed to a public repository. I would treat a push of a private key to GitHub as a much higher emergency than it being sent to OpenAI (or even being accidentally used in a Google search), since there are bots that actively scan GitHub for private keys, such that your private key might be found within a few minutes of push.
throwatdem12311
4 hours ago
Will git drop your production database because it feels like it when the stars align?
throwatdem12311
4 hours ago
You expect Joe Blow vibe coder running Codex on his Dell to understand this?
matheusmoreira
4 hours ago
Yes.
throwatdem12311
4 hours ago
lol I don’t you realize how tech illiterate most normies are
londons_explore
10 hours ago
I could imagine perhaps some system which rather than denying access might instead replace the key material from your .env key with "** redacted. This key material can be used via make, but can never be exfoltrated directly **" whenever that key is seen heading out towards the network...
brookst
10 hours ago
But that means the process can’t use the key for network requests, right?
mcintyre1994
10 hours ago
OnePassword can do something like this where you put references to a path there instead of the key material, and then you wrap the invoke command with their CLI and it replaces them. So your local env file never has anything sensitive. A malicious agent could still exfiltrate if you give it access to debug tools on the running code though.
jgalt212
10 hours ago
I'm a fan of belt and suspenders.
albedoa
an hour ago
Where did you run off to little boy.
lelandfe
11 hours ago
Just be aware that AI agents will explore alternate means of accessing said files: https://news.ycombinator.com/item?id=48348578
martylamb
10 hours ago
Yes. I found this quickly after wrapping codex in a launcher that uses bubblewrap to exclude certain files and directories based on a config file at the project root. My best solution so far is to also include instructions for the agent that explain that it is not allowed to see certain files, and that their inaccessibility is not an error, and that it must not attempt to access them through other means (e.g. via git history, etc.).
This has been a major improvement, but it's not foolproof.
ChrisRun
2 minutes ago
Interesting you said it's not foolproof. Did the agent ignore your instruction somehow?
cowsandmilk
11 hours ago
If you’re already running codex as a different user to limit its file permissions, why would you add it to the docker group?
lelandfe
11 hours ago
A good but altogether separate note from the point I’m making: this lack of access is seen as an obstacle to overcome, and other means of access will be tried if available.
It’s a different mental model than a first party solution to “ignore” files.
TheDong
10 hours ago
Weirdly, the existing first party solutions around denying commands don't seem to help here.
Often enough, when one of the agents prompts for running "sudo", and I reject it, it will do what looks very much like malicious exploration to figure out how to handle things anyway, including once hijacking a separate shell's pty where I did have a valid sudo session already in order to execute some commands.
We don't yet have the capability to make these models behave in a consistent, deterministic, or safe manner yet, so a first party solution isn't even necessarily that much better. Especially if it gives a false sense of security.
jen20
10 hours ago
Lack of knowledge and the desire to have it run containers for things.
amelius
11 hours ago
Yes. Any sane IT department would not allow external AI services, only local ones. It is just too easy for your company's data to end up on the wrong servers. If not through faulty file permissions, then through employees who simply post company ideas.
brookst
10 hours ago
Or just have a corporate contract that provides assurances.
Though really I’m skeptical that much corporate info is secret for competitive or privacy reasons.
Mostly it seems to be for liability / discovery reasons. Which are still legit of course, but ideas are a dime a dozen and every company has more than they know what to do with. It’s the resourcing and execution that are hard.
amelius
10 hours ago
> Or just have a corporate contract that provides assurances.
After the massive copyright infringements and recent "who care's about the law anyway" stance of corporate America, trusting this could be a grand mistake.
brookst
9 hours ago
It’s a risk. But odds are the upsides from the legal settlements would far outweigh the losses from your super secret memos about q3 budget planning being trained on.
Just treat it like a contract worker. They may violate their NDA. That doesn’t mean you never use any for any purpose ever. It’s a risk that’s been managed since before computers.
SoftTalker
9 hours ago
Yet many use public github, and human developers accidently push secrets and other "not for public" files all the time.
amelius
7 hours ago
Exactly proving the point.
chriddyp
8 hours ago
While this is true, there is also a layer in the harness between the output of _any_ tool output (eg stdout or hand-rolled tools) and the LLM. A tool could read the file but then the agentic harness could redact the output before returning it back to the llm if any of the contents matched the file contents. We do something similar in Plotly Studio where we check the entropy of strings in the user input and flag & redact any high entropy strings to the user as “potential credentials” thay the user might have inadvertently copied and pasted into the prompt before sending to the llm.
There are ways around this - the llm can always be clever by invoking tools to read the file contents in a different way than the direct file contents - but this is all to say that the agentic harness layer _does_ allow for deterministic logic in between tool output and the LLM requests.
jrvarela56
10 hours ago
Sandboxing is a solved problem, there are dozens of providers of firecracker instances to run your agent in.
The problem to be solved is how do you define task-specific least privilege versions of your coding agent.
niyikiza
2 hours ago
We've been using Tenuo which for task-scoped authorization.
Its integration for Claude Code: https://github.com/tenuo-ai/claude-governance
sheremetyev
8 hours ago
I'm running Codex/Claude in native macOS sandbox with access just to the project folder (plus read-only access to Git repo), and expand to other folders if necessary - https://github.com/sheremetyev/sandfence
valleyer
7 hours ago
Codex (at least) already imposes the macOS sandbox on the shell commands it runs. If it wants to run something without sandbox imposition, the harness makes me approve it manually.
Is the difference with your script mostly that you choose to impose a stricter sandbox profile (and not allow any user-approved exceptions at runtime)?
kstenerud
10 hours ago
If you're not sandboxing your agent, everything on your computer is waiting to be exposed.
Assuming that file permissions will save you is naively dangerous.
nativeit
9 hours ago
It seems insane to me that so many people are OK with this. Why is it necessary for an agent to upload every bit of data it sees to OpenAI at all? Particularly if my agents can’t remember anything beyond a single session, why should the data exist permanently anywhere but in its original location?
jstanley
9 hours ago
> Why is it necessary for an agent to upload every bit of data it sees to OpenAI at all?
The LLM is running at OpenAI. The agent doesn't see anything that doesn't get sent to OpenAI.
It's like running a compiler in the cloud and asking why you need to send your source code to it when you only want the binary to be on your local PC. It's because that's where the processing is going on and it can't process what it can't see.
> why should the data exist permanently anywhere but in its original location?
Sure, they don't necessarily have to retain it permanently.
SubiculumCode
6 hours ago
What is your sandbox approach? Any good guides? Something about asking a LLM for advice on how to sandbox LLMs.....
kstenerud
6 hours ago
I use this: https://github.com/kstenerud/yoloai
yoloai new mysandbox . # Create a sandbox
yoloai attach mysandbox # Attach the sandbox to the current terminal
... (^b^d to disconnect) # It's using tmux to keep the agent alive
yoloai diff mysandbox # See what the agent did
yoloai apply mysandbox # apply its changes to your workdir
yoloai destroy sandbox
yoloai run mysandbox . -p "read issue https://github.com/kstenerud/yoloai/issues/190 and fix it"
yoloai diff mysandbox
yoloai apply mysandbox
yoloai destroy sandboxSubiculumCode
4 hours ago
thanks. I will check that out, I'm also checking out smolvm. Sometimes it is hard to distinguish my modest needs versus what might be needed at a corporate infrastructure level for coding or agent orchestration.
I'm just writing scripts for neuroimaging analysis, etc, and want to ensure codex etc doesn't read my sqlite db or csvs, and send my research data to the inference provider...
Are people using these and interacting with the agent via terminal, or are there fuller cli interfaces, or integrations?
efxhoy
6 hours ago
How could an agent bypass file permissions?
kstenerud
5 hours ago
By exploiting a root escalation.
Or just finding a file/dir you forgot to set a tight enough mode on (happens a lot in systems where the default is insecure).
nicce
11 hours ago
> I imagine this isn't resolved primarily because people expect it to apply to bash tool use, not just the "read" and "edit" tools, and people also expect those files to still be accessible i.e. if the agent invokes "make", which makes it impossible to solve perfectly.
Also, why would they add a feature to prevent data collection, if the data makes the company even more valuable and you might even get good deals from the current government if you provide the access for this data?
FergusArgyll
11 hours ago
Yes, this was solved decades ago. How do you stop a human from reading one of your files?
chmod 600re-thc
10 hours ago
> How do you stop a human from reading one of your files?
Call the police!
aleph_minus_one
7 hours ago
> > How do you stop a human from reading one of your files?
> Call the police!
Rather: Send the Marines.
With intro: https://www.youtube.com/watch?v=eFvxqQTh3m4
Without intro: https://www.youtube.com/watch?v=HHhZF66C1Dc
quotemstr
3 hours ago
> You can do this now: change the file permissions such that the user you run codex as can't read them, or run codex in a container without those files mounted.
That's quite inconvenient. I want to run my coding agent in a restricted version of my regular user context, not something that drives like a separate machine.
> What if the model runs "rg foo", and one of those files contains the string "foo"? It uploads the tool output, which includes the file contents.
You have codex run rg in the sandbox, and the sandbox can't read foo. Why is this model so difficult to understand? Codex already runs a variety of commands under a bwrap/seatbelt/etc. sandbox. I've merely extended Codex to run everything in a sandbox. Escalation isn't a matter of whether to run a command in a sandbox or not: it's a matter of which sandbox policy to apply to whatever it is the model asked to do.
> the only solution is to make it so the codex process is unable to access those files
That's not true. Restrictions need apply only to the tools the model runs, not the Codex process itself. You can always insert a process-and-sandbox boundary between the harness and its tools. Codex inserts this boundary most of the time anyway. I've extended my Codex to do it all the time, even for things like the read-a-file tool.
Works fine.
> I imagine this isn't resolved primarily because people expect it to apply to bash tool use,
Yeah? Applying it to the shell tool [1] is trivial. It's actually harder to apply the sandbox to non-shell tools. It just isn't hard conceptually: you define a sandbox policy, writing down what's allowed and not, and just filter everything the model does through this policy via OS-level lightweight sandboxing tools.
Seriously. It's not that hard. And you don't have to sandbox the Codex process itself. I honestly have no idea why people think it's necessary to do so. The model has no ability to make Codex-the-POSIX-process do arbitrary things.
[1] I refuse to call it the "bash tool" when most users are running zsh in it. Name things appropriately.