Matthew Garrett1d ago

You have an agent running on your local system. You want it to have access to a restricted set of things, both locally and remote. What is the technical mechanism you use to ensure that it has a subset of the access that you, as an individual logged into the same system, do?

(I am uninterested in "Don't run an agent" because while yes I see your point that doesn't mean it's not happening and security professionals have to deal with what's happening not what we want to be happening)

Show threadAlyssa Coghlan1d ago
@mjg59 This question gets even more fun when you'd like to give read access to an agent to enterprise services you otherwise have read/write access to. State of the art seems to be "carefully set up narrowly scoped API tokens for the services that support that", because constrained delegations of authority just aren't part of the overall identity management model, they're only present inside specific applications. (I don't have an answer, just the same and related questions)
Show threadMatthew Garrett1d ago
@ancoghlan And then somehow ensure that the agent has no way to find the actual r/w token that exists somewhere on your system
Show threadrobryk
@mjg59 @ancoghlan That's solved by pretty run-of-the-mill sandboxing, no? (Or are you saying that it's hard to find rules for filesystem read access that are narrow enough to exclude that and wide enough to actually allow access to everything it should be able to access?)
Apr 2 at 9:22amWeb
Show threadMatthew Garrett1d ago
@robryk @ancoghlan I don't want an agent to be able to exfiltrate a token belonging to a tool the agent is executing
Show threadrobryk1d ago
@mjg59 @ancoghlan

Ah, right. I assume the tool is executed as a subprocess. If so, there was some sort of sudo-over-UDS thing that could be adapted to still give the agent sameish interface to execute the tool, but to execute the tool outside of the sandbox the agent is in.
Show threadAlyssa Coghlan1d ago
@robryk @mjg59 Ah, I missed mentioning one of my functional requirements: the end result needs to be executable by normal people so they don't reach for the "Eh, I'll just let the robot impersonate me with full access to everything I have access to" hammer. I'm trying *not* to see this as an inevitably doomed exercise, but at the moment I don't even know how *I'd* do it (beyond the tediously painful to set up "lots of fine-grained keys in a sandbox" approach), let alone help someone else do it.