Hacker News
new|best

Allowlisting some Bash commands is often the same as allowlisting all

(joinformal.com)
18 points by drewgregory 20 hours ago|14 comments
zufallsheld 19 hours ago
Same thing for allowing specific sudo-commands. Many tools (like vim or the tools mentioned in the article) would have the same problem when allowing them to be run with root privileges.
denysvitali 18 hours ago
=> https://gtfobins.org/
illusive4080 13 hours ago
Some at work want to let me run sudo vim only to edit my hosts file. This is silly for a variety of reasons, one of them being that vim can allow the user to exec arbitrary commands. If you give me root for vim, just save me the trouble and let me have unrestricted root so I can do my job.
CableNinja 8 hours ago
I deal with some regulated things and some users who usually wouldnt be allowed to see/work on a thing are granted special access to do so, with extreme limitations. Recently i was approached asking if we could strip down the users desktops to no gui, no sudo, for use as a jumpbox. I explained why users need sudo to do what they need, and was asked about limiting sudo.

Its really tough to tell someone who is all about security (not linux security but regulatory security and such) that basically granting any bit of sudo access can lead to full access.

There is a way that this can be handled, but its honestly sort of an afterthought functionality. facls. You can delegate multiple owners/groups and permissions for things, and it can work well, but you have to deal with facls on multiple fronts, setting them for basically the entire system. facls are great, in theory, but they feel like such an afterthought that they are often ignored.

bauruine 10 hours ago
I had the same few years ago. When I pointed out that I can get full root with most of the whitelisted commands they answered "We know. It's not about security but to prevent lusers from accidentally rm -rf /* the server. Feel free to spawn a root shell. You obviously know what you do"
eqvinox 18 hours ago
everything is a container these days, and yet somehow collective-we don't manage to have AI agents run in a container layer on top of our current work, so we can later commit or rollback?
Neywiny 16 hours ago
I feel like if I ever used an agentic AI that's how I'd need it to be done. Too many cases of AIs getting access to files that it shouldn't. But then then, how do I allow it to look things up online without sending all my code to some scammer that prompt injected on a tutorial? I don't think I'll ever trust it with anything proprietary or otherwise less than publicly available.
iberator 13 hours ago
What do you mean?! Where? I would claim otherwise: 99% of software is not in the containers. Like 100% windows or debian software
pimlottc 18 hours ago
I know they’re just being through but the “go test” part is a bit “Pray, Mr Babbage”… Test code is just code. I know of no language where tests are sandboxed in any meaningful way.
sadnboxx 19 hours ago
Allowing a "command" (executable, I believe) that isn't a read-only absolute path is a fool's errand. I will modify PATH and run my own implementation of it.
hbogert 17 hours ago
> I really thought `eval` would not be abused on non validated input

    - your colleague, or you 1 year before.
teddyh 19 hours ago
“…with Claude Code”
extraduder_ire 18 hours ago
The same caveats would apply to most kinds of restricted shell environments.
adastra22 19 hours ago
Are there any agent permission systems that do this correctly?