top | item 46628266

(no title)

That's a distinction without a difference, in the end you still have an arbitrary bash command that you have to validate.

And it is simply easier to whitelist directories than individual commands. Unix utilities weren't created with fine-grained capabilities and permissions in mind. Wherever you add a new script or utility to a whitelist, you have to actively think whether any new combination may lead to privileges escalation or unintended effects.

discuss

zahlman|1 month ago

> That's a distinction without a difference, in the end you still have an arbitrary bash command that you have to validate.

No, you don't. You have a command generated by auditable, conventional code (in the agent wrapper) rather than by a neural network.

VTimofeenko|1 month ago

That command will have to take some input from neural network though? And we're back in Bobby Tables scenario