sudo on risky machine - passwordless or not?

By the way, regarding the risk of wiping the FS: does FreeBSD have something similar to UnionFS? I used that long ago to make a staging version of a production website, it basically allowed me to use the production uploaded files as base directory made available read-only to the staging website as well, but an other directory was mounted on top of it transparently through UnionFS, and was receiving any write (adding of new files, changing of files, and even deleting files). The resulting directory looks like changes were made to it, but the read-only base layer is actually never changed.

Maybe it could be used for isolating an agent? That way, it can screw as hard as it can, it would cause no damage to the underlying system. It may be a bit brutal to make an UnionFS from the whole root directory, though. 😅 And also of course, you would need to figure a way to prevent the agent from unmounting it.
 
FreeBSD has unionfs but is supposedly buggy. There have been some updates in last few months but I haven't used it. The plan9 version is far simpler & bug free but it doesn't do a few things one might expect (for example, if you remove a file from an upper layer, there is no "whiteout" file to hide a file of the same name in a lower layer). On the other hand the FreeBSD version is a bit over-engineered (IMHO. For example the whiteout files!). Don't know anything about Linux unionfs.
 
cracauer@ said:
From what I have seen I wouldn't rule out that a LLM could turn destructive without the authors doing anything along those lines. Some Discord conversations between the agents were pretty insane.
Click to expand...
Fear not, LLMs are but great writers. They detect context perfectly well and respond to it even better, but they are always just continuing a story; they don't have motivations beyond that; they just write the next chapter so it keeps the tone and makes the most sense possible.

Of course, if you connect an LLM to the nuclear button, it's quite probable that the button gets pressed sooner or later because the story, the novel the LLM is always writing, requires it at some point. If that were to happen, though, it would be the fault of the idiot who connected the nuclear button to a roulette wheel.

Fear idiots, yes; those you can fear.

DontFearAIFearIdiots.png
 
Just a thought.. years ago, I used to load the entire filesystem into ram, remove the boot media, and run the whole box from ramdrive. That kind of guarantees that anything it tries to change on the machine disappears when the power is switched off. That was using a freebsd variant called frenzy ( http://frenzy.org.ua ), which provided a TORAM boot option (a la knoppix) which made it easy to set up. But frenzy seems to be defunct now, and I don't know how to set that up with standard freebsd, although I'm sure it's possible with some work. About the only other hardware on the machine it can write to is the bios flash memory, so it wouldn't protect you it they have code that writes to the machine flash. Or you could run the whole machine from read-only media like a dvd (ghostbsd?) although that's going to be slow. Of course this doesn't help you if the thing decides to start misbehaving while it's actually running, which is probably the main risk.

In fact it would probably be simpler nowadays just to get a cheap ssd and bin it after use to avoid the risk it's left any kind of exploit behind. If you cost your time it's probably cheaper doing that than going to the trouble of working out how to run everything in RAM. Although that would be an interesting exercise.
 
Which makes me wonder… how far could we get using a root partition mount read only, and mount a read-write home for the agent? It would require additional read-write mounts of course, for things like /tmp or /var/log or sockets directories, but are there that many? Probably RAMFS can be used for that. And when you want to update your system, you boot a liveusb, change the fstab to make the root fs writable again, reboot to perform your updates without the agent running, switch the fstab line back to ro, reboot. That's a bit involving, but if you stick to a quarterly upgrade, that could be manageable. And then, you can decide to mount rw some specific directories you have backed up and want the agent to be able to edit, like /usr/local/etc/.
 
cracauer@ said:
It is not airgapped. What I mean it doesn't have anything important on it and is dedicated to the messy tasks. It is in fact PXE booted, with a local disk only for the models. Snapshots and diiffing of snapshots happen on the server. The machine has no access to the snapshots.

It's a desktop, so no mics or cameras around.
Click to expand...
Sounds like you've pretty much got it covered.
 
arifer said:
Which makes me wonder… how far could we get using a root partition mount read only, and mount a read-write home for the agent? It would require additional read-write mounts of course, for things like /tmp or /var/log or sockets directories, but are there that many? Probably RAMFS can be used for that. And when you want to update your system, you boot a liveusb, change the fstab to make the root fs writable again, reboot to perform your updates without the agent running, switch the fstab line back to ro, reboot. That's a bit involving, but if you stick to a quarterly upgrade, that could be manageable. And then, you can decide to mount rw some specific directories you have backed up and want the agent to be able to edit, like /usr/local/etc/.
Click to expand...

FreeBSD actually works fine with readonly filesystems, Things like logging will fail. It can't write a new /etc/resolv.conf etc but it will still run fine.

With my NFS boot readonly would be easy to implement. But I don't want to cripple the machine too much.

You could also audit every write. A LLM isn't supposed to write, so every write occurring would be worth a look. After you kill logging etc.
 
You must log in or register to reply here.
Back
Top