Codex just found a "workaround" of not having sudo on my PC

 (twitter.com)

57 points | by thunderbong 43 minutes ago

9 comments

  • throwawaypath 19 minutes ago
    This has been a known Docker "feature" since the beginning, nothing new here. This pattern is used to configure host machines by some tools.
  • nialse 4 minutes ago
    This was of course dependent on yolo mode, but automatic approval has also been pulling stunts like this. A recent example is data that was purposely kept away from Codex in a folder far far away. When it found a single reference it just went for the data when having an issue. Lesson learned, keep essential data and Codex separated on different machines. Codex remote ssh actually helps here.
  • dbacar 4 minutes ago
    This is one of the main reasons people like Podman. Docker has this "feature" but as far as I remember, it needed some obscure configuration. I guess they don't add it as default as it will break many current setups.
  • unglaublich 24 minutes ago
    This is why you need either a rootless container setup or user namespaces to remap the container user to irrelevant host users. https://docs.docker.com/engine/security/userns-remap/

    Weak that this isn't the default.

  • jjmarr 22 minutes ago
    Every time I try to install Docker there's a warning that being in the "docker" group is equivalent to having root access.

    You should probably know about this workaround by now.

    [-]
    • Youden 14 minutes ago
      I think that's distro-specific. Some set it up with more secure defaults (unix socket with permissions), others less (TCP socket).
  • jmole 6 minutes ago
    clever girl...
  • tmaly 21 minutes ago
    this is the new GTD
  • alephnerd 29 minutes ago
    This is a classic attack path that was already captured by plenty of EDRs/XDRs/CWPPs a couple years ago.
    [-]
    • dangus 27 minutes ago
      Right, why is their login user in the docker group? Mine sure isn’t.
      [-]
      • oytis 23 minutes ago
        Rather, why do people still run agents as their own user. IMO, agent sessions should at least be containerised with just necessary code mounted.
        [-]
        • ssl-3 3 minutes ago
          Safety and simplicity are concepts that often won't get along very well with eachother.
        • throwaway613746 7 minutes ago
          People will more often than not, take the path of least resistance. Even if you tell them it's dangerous they will not care. People run this stuff on their primary workstation, unconfined, with permissions disabled because they don't want be bothered with accepting permission requests. This is all well and good until it decides to drop your production database or delete your home directory. Most of them don't even learn their lesson after that even.
      • unglaublich 23 minutes ago
        Convenience. Want to run `docker run ...` without password, want IDEs and agents to be able to run containers...
        [-]
        • tempest_ 12 minutes ago
          For most CRUD apps running in docker its enough to just tell the "agent" to use podman.
        • awoimbee 12 minutes ago
          Use podman then, or rootless docker if you can make it work
      • alephnerd 20 minutes ago
        Becuase a lot of devs don't know this stuff. There's a reason security engineers (as in SWEs who specialize in securing specific attack surfaces) remain in hot demand.
  • throwaway613746 10 minutes ago
    [dead]