logoalt Hacker News

vqtskayesterday at 2:49 PM13 repliesview on HN

I still don't understand the point of all these VMs and containers for agents. Just create a separate user on your machine without sudo privileges, switch to it in your terminal and run all the agents you want without it being able to reach your files. What am I missing?


Replies

killerstormyesterday at 3:04 PM

Privilege escalation (e.g. setuid), world-readable files might contain sensitive data, world-writeable files, unrestricted network access (including access to all locally running services)... If you have fully patched system without zero-days and it's configured in a perfect way, then, sure...

Container is quite like a "separate user" except you can explicitly define what it can access.

(Even if all your daemons have good auth, it's now quite common for _apps_ to open listening sockets without much auth...)

show 2 replies
matheusmoreirayesterday at 2:57 PM

You're missing the fact you'd be sharing a kernel with the sandboxed agent. Virtualization presents an infinitely smaller attack surface.

show 2 replies
bheadmasteryesterday at 2:51 PM

VMs and containers are fairly isolated and reproducible. A separate user on your machine still depends on the programs installed locally.

show 1 reply
3formyesterday at 2:56 PM

Well, for one, Debian and Debian-based distros make your home directory readable by everyone by default.

Security is riddled by traps. If you can afford best possible level of isolation, why not do it?

show 1 reply
bpavukyesterday at 2:52 PM

you can also simply use Landlock and bwrap on Linux. Pi even has a plugin for that https://pi.dev/packages/pi-landstrip

show 2 replies
celrenheityesterday at 3:47 PM

There are two sides to this. The first is security, which plenty of comments already covered. The second, and the real one for me: my tests spin up Docker containers, and I was building a Kubernetes tool (argocd/flux style) that needs a real cluster in the sandbox. In a container that means Docker-in-Docker, which always felt hacky. A VM is just a normal Linux box where Docker and k8s run like they do everywhere else. A separate user can't give you that, it shares your one kernel and whatever's already installed on the host.

schainksyesterday at 3:32 PM

There is a reason why VMs even are a thing at all: they can offer better security guarantees than alternatives.

A separate user is a good start but LLM tests themselves show they can cleverly bypass guardrails if they figure out they are in a sandboxed environment of some kind, right?

So, I read those test results as: an LLM is less likely to do something crazy if it thinks it has the whole environment to itself.

de6u99eryesterday at 3:10 PM

On my Mac, every sudo requires either my fingerprint or password, and times out immediately.

show 1 reply
throw1234567891yesterday at 3:15 PM

And why would I do that when I can create a vm from a snapshot and be done in 30 seconds?

augusto-mourayesterday at 3:10 PM

Mainly networking and namespaces, same reasons why we run services on docker instead of old multi-user setups

altcognitoyesterday at 2:51 PM

In a corporate environment they may not have that option

show 1 reply
TheRealPomaxyesterday at 3:21 PM

If you think those two contexts are equally secure, your machine is incredibly insecure and I hope you run daily incremental full system backups.

You have far too much data in unsecured locations, and you have far too little understanding of what an agent would do, to go "I trust whatever this user account will be doing on my machine".

petesergeantyesterday at 2:56 PM

am I doing that once per project, or?