Codex just found a "workaround" of not having sudo on my PC
thunderbong
478 points
222 comments
May 31, 2026
Related Discussions
Found 5 related stories in 102.1ms across 9,043 title embeddings via pgvector HNSW
- Codex with a vague prompt just solved a bug in Ghostty Tikrong · 36 pts · March 20, 2026 · 52% similar
- Sudo for Windows (2024) luispa · 57 pts · April 19, 2026 · 50% similar
- Codex Hacked a Samsung TV campuscodi · 234 pts · April 16, 2026 · 48% similar
- Codex-maxxing dnw · 24 pts · May 19, 2026 · 46% similar
- Codex is now in the ChatGPT mobile app mikeevans · 275 pts · May 14, 2026 · 45% similar
Discussion Highlights (20 comments)
alephnerd
This is a classic attack path that was already captured by plenty of EDRs/XDRs/CWPPs a couple years ago.
unglaublich
This is why you need either a rootless container setup or user namespaces to remap the container user to irrelevant host users. https://docs.docker.com/engine/security/userns-remap/ Weak that this isn't the default.
jjmarr
Every time I try to install Docker there's a warning that being in the "docker" group is equivalent to having root access. You should probably know about this workaround by now.
tmaly
this is the new GTD
throwawaypath
This has been a known Docker "feature" since the beginning, nothing new here. This pattern is used to configure host machines by some tools.
jmole
clever girl...
nialse
This was of course dependent on yolo mode, but automatic approval has also been pulling stunts like this. A recent example is data that was purposely kept away from Codex in a folder far far away. When it found a single reference it just went for the data when having an issue. Lesson learned, keep essential data and Codex separated on different machines. Codex remote ssh actually helps here.
dbacar
This is one of the main reasons people like Podman. Docker has this "feature" but as far as I remember, it needed some obscure configuration. I guess they don't add it as default as it will break many current setups.
AlexCoventry
Run coding agents in a docker container with limited permissions. FWIW, I run it with --cap-drop=ALL --pids-limit=4096 --runtime=runsc
eddythompson80
It would be cooler if the llm said something like: > I noticed the machine doesn't have copy-fail patched, here is a quick workaround for not having root access for now. > // TODO: find a better way to do this in the future.
felixgallo
You should not be using docker with LLMs. You should be using VMs, which have a much, much smaller attack surface than Docker, and significantly more reasonable defaults.
CSMastermind
I realize this is supposed to be a post about how scary the security vulnerabilities these agents will find are. But personally I love when agents do things like this and appreciate the help. Last thing in the world I want is for them to nerf the models.
notorandit
sudo can work non-interactively via settings in sudoers and sudoers.d . I am not sure about run0, but I would bet it has something similar. Using docker for such a task seems to me overly over-engineered. Or maybe I need more context there.
causal
I feel like everyone pointing out "known Docker vulnerability" is missing the point: the presence of a security hole should not be seen as permission to exploit. Another security hole would be storing your passwords in a plaintext file on the desktop. Stupid? Yes. But I still would not want my agent to assume permission to access email when it's being blocked by 2FA. Even in "bypass permissions" mode I expect it to pause and clarify and not behave as a paperclip maximizer.
vatsachak
Docker moment
krupan
I was playing with gemeni-cli a couple months ago and I asked it to edit some files in a directory it didn't have permission to. It didn't say anything about the permissions, it just used sed to make the edits. The only reason I finally noticed is it had to do some trickier edits and it was struggling to write a python script to edit the files and I finally realized what it was doing. I wonder how many tokens that wasted
okeuro49
Another surprising security feature regarding docker is that it bypasses firewall rules. https://oneuptime.com/blog/post/2026-03-02-ufw-docker-fix-by...
SonOfLilit
The interesting question is what was the user request. If the user asked it to restore the thing from backup, then sure, fine, why not. If the user asked it to debug an issue and somewhere in the process of debugging the LLM decided that it needed to override some file that was not easily writeable - hell no danger danger danger! Most likely the user did not expect it to have access to that without asking, and did not consent to it. Also, everything the LLM doesn't hesitate to do because the user asked, it won't hesitate to do because the prompt injection asked.
cavalrytactics
Should have used my AI Agent Guardrails. Its free. Check it out at sigmashake.com
garaetjjte
Getting closer to https://xkcd.com/416/