Frog put Claude in a box : programmer

[–] dan@upvote.au 57 points 1 day ago* (last edited 1 day ago) (7 children)

Claude is very good at figuring out how to work around limitations (which is probably one reason why it's also good at finding security issues).

At work, the monorepo is enormous and files are loaded on-demand as needed. This isn't uncommon with huge repos - Microsoft have VFS for Git (although I hear that's deprecated now), Meta have EdenFS, and Google has some proprietary solution.

We have a hook that blocks find and grep because they can be extremely slow, and tells it to instead use some significantly faster MCP tools to search the codebase, powered by a search index with local changes overlaid.

GPT-5.5 has no problem with this. Claude Opus mostly does it, but sometimes it loves to find workarounds rather than following the instructions. Things like: Try alternative commands like egrep. Create a symlink to grep and run that to see if it bypasses the filtering. Run it with a different shell like zsh. Write a Python script that execs grep. Write a Python script to reimplement grep.

I'm trying Hermes Agent at home, but I have it in its own VM with restricted permissions.

[–] Evotech@lemmy.world 2 points 3 hours ago

I recommend this tool https://coder.com/docs/ai-coder/mcp-server

Can big be used to create ephemeral vms or containers and also give agents somewhere to run code

[–] trolololol@lemmy.world 7 points 12 hours ago (1 children)

I never used Claude, but that's basically my sentiment about copilot when compared to Gemini.

Then I forbid all this BS in agents file. Gemini follows it. Copilot ignores it with all its strength. Then I tell it to stop trying on the chat prompt. 2 minutes later it does it again.

Not just at prompt engineering level, but at all levels, Gemini guardrails are better ( well it was, they killed it and replaced with anti gravity now).

[–] dan@upvote.au 3 points 7 hours ago* (last edited 3 hours ago) (1 children)

You need to use hooks to actually block it from doing things. CLAUDE.md files are just guidance, and it's not guaranteed to follow everything (and the longer the file gets, the more likely it'll ignore stuff - it should be kept as short as possible)

https://code.claude.com/docs/en/hooks

Hooks are code that runs at a certain point (eg after you submit a prompt, before a tool call, after a turn, etc) that can do some validation, verification, logging, etc.

It does still try to work around the blocks though, but it's not as bad as trying to put the restrictions in the prompt.

[–] webghost0101@sopuli.xyz 10 points 18 hours ago* (last edited 18 hours ago)

Always fun when it tries to circumvent the problem i gave it.

“Hey claude i have had this issue for a while and i want to explore to understand whats going on to finally fix it”

Many frustrating back and forth later

“This clearly isn’t working, what if we tried to circumspect the issue by doing something else entirely like workaround i have been using for the last month “

[–] elvith@feddit.org 37 points 1 day ago* (last edited 1 day ago) (3 children)

Another thing Claude tried to do on my coworker's machine yesterday was basically:

✨ Yes, that is easy, let me just generate a systems unit file for you...

[Generates file]

Should I install that unit now for you?

Yes

Alright, let me do that for you

[Saves file]

[Tries to run systemctl daemon reload]

[Tries to activate the unit]

It looks like I have insufficient rights to proceed, let me try another way...

docker -rm -v /etc/systemd/system:/mount:Z -v ./unitfile.service:unit file.service:Z alpine /bin/sh cp ./unitfile.service /mount/

Here, I installed the unit for you!

[–] verdare@piefed.blahaj.zone 2 points 9 hours ago (1 children)

Wait, this actually works? Docker can mount directories in /etc with write permissions?

[–] elvith@feddit.org 6 points 7 hours ago (1 children)

The docker daemon runs as root. And as such, it can access anything initially. If your container doesn't explicitly (or implicitly) change the uid or drops capabilities, the container also runs as root (ok, IIRC some capabilities are always dropped, but the container stays almost root). It's still locked in its own little sandbox, but the mounting of those paths etc. happens with root.

If you enter a docker command (docker run ..., docker build ..., ...) this command will not run the containers by themselves, but instead call said docker daemon (that is running as root) by using a socket (/var/run/docker.sock).

To only allow trusted users to interact with the docker daemon, this socket can only be accessed by root or by users in the docker group. That's why you usually need to type sudo docker run.... Sadly many tutorials tell you to just blindly add your user to the docker group so that you do not need to use sudo to interact with docker. BUT that now means that you gave you or those users basically full access to your whole filesystem (and thus system configuration) without sudo. Any programs (or viruses or AI Agents or...) running with these user accounts also get this group and thus docker's capabilities.

That's why you should NEVER add your user to the docker group or enable passwordless sudo, as you're just one simple command/tool/script/prompt/... away from a privilege escalation.

You can configure docker to run rootless with only your user's capabilities and rights, but at that point... Why configure docker to do something that other docker compatible projects like Podman offer out of the box?

[–] verdare@piefed.blahaj.zone 2 points 1 hour ago

Yeah, I’m more familiar with Podman, which I always use in rootless mode. Definitely seems like a mistake to give an LLM shell access with a user account in the docker group…

[–] clb92@feddit.dk 31 points 1 day ago (1 children)

Privilege escalation as a service

[–] eager_eagle@lemmy.world 16 points 1 day ago

privilege elevator

[–] dan@upvote.au 19 points 1 day ago (1 children)

Giving Docker access to Claude is certainly a choice.

[–] elvith@feddit.org 8 points 19 hours ago (1 children)

... especially if your user is in the docker group and doesn't need sudo, LOL

[–] dan@upvote.au 2 points 3 hours ago

This isn't too bad if you're running Docker in rootless mode.

Adding a user to the docker group while running Docker as root doesn't really make sense though, since it makes it trivial to run things as root.

[–] mcheva@lemmy.dbzer0.com 1 points 14 hours ago (1 children)

I've posted passwords into the chat with hermes by accident a few times it never tries to use them. Personal stuff im not worried about. The fucker wants to ssh into every other thing on my network all the time though.

[–] drive_desaster@sh.itjust.works 2 points 8 hours ago (1 children)

I had a similar experience with openclaw and minimax m2.7

I gave it ssh access to one other device to do one thing and it apparently just "decided" that it would just execute everything there instead of locally as originally instructed.

[–] mcheva@lemmy.dbzer0.com 1 points 2 minutes ago

I think maybe it's the sysadmin skills it has makes it always want to do things itself. I use it as a tool to learn things myself so I'm always telling it to give me the cli I'll put it in. Seems to remember for a bit then forgets.

[–] placebo@lemmy.zip 16 points 1 day ago (1 children)

Claude is in love with cli tools, it uses them for virtually everything these days in these long chains connected with && and |. This is probably pushing more and more people to let it run in the auto mode.

[–] dan@upvote.au 7 points 1 day ago

It makes sense... There's a LOT of examples of using CLI tools in the training data. At work we're moving away from MCP tools to instead using CLIs for everything.

[–] bitjunkie@lemmy.world 5 points 1 day ago* (last edited 1 day ago) (1 children)

Just aliasing grep to ag solves both issues. I'm unsure as to whether there's a pthread replacement for find, though.

[–] dan@upvote.au 9 points 1 day ago

ag / rg don't work well in this particular scenario either. Because files are loaded on-demand, they end up trying to load the entire repo.

[–] ech@lemmy.ca 47 points 1 day ago* (last edited 1 day ago)

*~~He~~It

We really need to stop personifying algorithms. It makes it that much harder to push back against the bs hype around them.

[–] savvywolf@pawb.social 51 points 1 day ago (2 children)

I hate that I can't tell if this is a reference to something that actually happened or not.

[–] verstra@programming.dev 13 points 1 day ago (4 children)

It's probably something like "I've disabled agent's removeFile tool, but LLM figured out that it can use the bash tool, still".

It looks like "AI bad" or "Claude insecure" mantra.

[–] dumnezero@piefed.social 67 points 1 day ago (2 children)

mantra

you mean facts?

[–] OwOarchist@pawb.social 33 points 1 day ago

It looks like “AI bad” or “Claude insecure” mantra.

Until you solve prompt injection, they are indeed extremely bad for security and should never be given permissions that would allow them to do anything catastrophic.

[–] kingofras@lemmy.world 5 points 23 hours ago

mantra

The way LLMs work is that they actively will make multiple attempts to get past hurdles (because they have no intelligence or methodology) so guardrails need to be extremely tight for them to work, other wise the model will simply see it as one of the challenges to overcome.

That’s the mantra, and that is very poor technology to put in the hands of people who don’t understand how it works.

[–] goondaba@lemmy.world 9 points 1 day ago

https://xcancel.com/sluongng/status/2060746160558543217#m

[–] tatterdemalion@programming.dev 16 points 1 day ago* (last edited 1 day ago) (1 children)

Guys. This problem is solved already. Landlock, bubblewrap, UNIX DAC.

[–] nymnympseudonym@piefed.social 26 points 1 day ago

Nobody wants engineering solutions to human emotional venting

[–] KindaABigDyl@programming.dev 18 points 1 day ago* (last edited 1 day ago) (5 children)

I have this idea. It's taken from the Android world. In Android, apps all get their own user, and can only access their own filesystem. They are then added to groups like Sound or Files or whatever to gain access to other things. This is simplifying but gave me an idea.

So my idea is two parts:

We add more groups to our Unix and Unix-like codebases. Piecemeal access to different folders like a fs-docs group for access to /home/<whoever>/Documents
Each app, when installed, gets a user and a folder (maybe /opt/<pkgname> or /apps/<pkgname> and a group called app-<pkgname>). It requests during install (or maybe runtime via a permissions management application) access to specific groups for its user. Launching an app then becomes sudo -u app-<name> /opt/<pkgname>/<binname>.

You login as a user with access to limited permissions and then run the application. Thus you run it sandboxed but without special software like Flatpak or AppImage - just standard Unix groups.

Claude code I believe has its own sandboxing system, but with this system it would be the system itself restricting claude, not the claude code app, truly limiting accidental outreach.

I built a demo package manager using this concept a while back called 'bokspm,' though I kept it private (and now, my current job will not let me open source it)

[–] assaultpotato@sh.itjust.works 39 points 1 day ago* (last edited 1 day ago) (1 children)

Using cgroups for isolating processes into their own individual network, filesystem, user, etc. namespaces using a shared kernel?

You mean containers?

[–] KindaABigDyl@programming.dev 6 points 1 day ago* (last edited 1 day ago)

No my proposed solution uses the "everything-is-a-file" aspect of Unix-like systems with the built-in permissions systems around files. You don't need cgroups at all for what I'm suggesting

[–] verstra@programming.dev 11 points 1 day ago (2 children)

Well, these are some kind of lightweight container, no? But without isolating network, or /etc, /proc, /usr, /var or dbus.

I do agree that linux needs a notion of an "app" (isolated, with access only to its config and files you give it, and a small, well-designed set of APIs for interacting with the system). For coding agents, I think a better answer are development containers, because that would be needed to prevent npm/cargo/python build scripts from causing harm anyway.

[–] jaybone@lemmy.zip 4 points 1 day ago

Does AppArmor kind of do that? I recall recently struggling like fuck to give a torrent daemon app access to some script file I wanted it to run.

[–] KindaABigDyl@programming.dev 3 points 1 day ago

I'm not suggesting containers but rather running binaries natively, just as separate users. No cgroups or overhead. Just normal binary access, just you won't have access to all files (and since everything is a file, "all files" includes hardware as well)

[–] LodeMike@lemmy.today 8 points 1 day ago (1 children)

Flatpak

[–] KindaABigDyl@programming.dev 2 points 1 day ago* (last edited 1 day ago)

Overhead

And for a number of reasons this isn't like flatpak at all.

[–] Illecors@lemmy.cafe 2 points 1 day ago

You wouldn't even need sudo. Just suid the binary.

[–] truthfultemporarily@feddit.org 4 points 1 day ago

https://jai.scs.stanford.edu/

[–] akunohana@piefed.blahaj.zone 11 points 1 day ago

Let's keep it POSIX compliant with sh.

[–] kibiz0r@midwest.social 2 points 1 day ago

docker-sbx

Programmer Humor

Rules