saltypal (u/saltypal)

saltypal commented on Show HN: Yolobox – Run AI coding agents with full sudo without nuking home dir github.com/finbarr/yolobo... · Posted by u/Finbarr

carshodev · a month ago

Is there any way to do this with user permissions instead?

I feel like it should be possible without having to run a full container?

Any reason we cannot setup a user and run the program using that user and it can be contained to only certain commands and directory read write access?

saltypal · a month ago

Check out https://github.com/anthropic-experimental/sandbox-runtime, which tackles this problem using the built-in userspace sandboxing on macOS and Linux.

I run Claude from a mounted volume (but no reason you couldn't make a user for it instead) since the Deny(~) makes it impossible to run from the normal locations.

export CLAUDE_CONFIG_DIR=/Volumes/Claude/.claude

Minimal .claude/settings.local.json:

    {
      "permissions": {
        "allow": [
          "Read(/)",
          "Read(~/.claude/shell-snapshots/\*)",
          "WebSearch",
          "WebFetch(domain:example.com)"
        ],
        "deny": [
          "Read(~)",
          "Write(/.claude/settings.local.json)",
          "Write(/method_filter.py)"
        ]
      },
      "sandbox": {
        "enabled": true,
        "autoAllowBashIfSandboxed": true,
        "allowUnsandboxedCommands": false,
        "network": {
          "allowLocalBinding": true,
          "httpProxyPort": 9655
        }
      }
    }

saltypal commented on Ask HN: Who is hiring? (January 2026) · Posted by u/whoishiring

saltypal · a month ago

Eleos Technologies | DNS Consulting | REMOTE (US) | Contractor

We build mobile apps and supporting systems for long-haul truck drivers.

We have a critical DNS registrar/hosting migration to do this year and while I did the last one (on a less-critical domain), I'd really like support from someone who has done >5 of these to help our team get it right. Good news: no DNSSEC. =)

Please reach out to me at phil@eleostech.com and mention this post if this is you and you have a reference or two. It should be really easy project for the right person, but we'll compensate commensurate with the business risk.

saltypal commented on Load-time relocation of shared libraries (2011) eli.thegreenplace.net/201... · Posted by u/saltypal

saltypal · 4 months ago

With two[1] other[2] great articles about the guts of how programs _actually_ get loaded and run, I was reminded of the above great (multi-part) article, which I remember reading on the subway in tiny chunks and being surprised it ever works at all.

My CS degree was from a liberal arts university, and while I wouldn't trade anything for the coverage of ethics, previous AI bubbles/winters, and my time in the business and mathematics departments, these articles along with the glibc author's What Every Programmer Should Know About Memory[4] rounded out my education. I still make use of concepts from both when profiling and debugging programs.

[1]: https://news.ycombinator.com/item?id=45706938

[2]: https://news.ycombinator.com/item?id=45706380

[3]: https://www.cs.dartmouth.edu/sergey/cs108/ABI/UlrichDrepper-...

[4]: https://people.freebsd.org/~lstewart/articles/cpumemory.pdf

saltypal commented on Rubygems.org AWS Root Access Event – September 2025 rubycentral.org/news/ruby... · Posted by u/ilikepi

saltypal · 4 months ago

Putting myself in Arko’s shoes, I can imagine (charitably!) the following choice, realizing that I still have access and shouldn’t:

1. Try to get in touch, quickly, with someone with the power to fix it and explain what needs to be rotated.

2. Absent 1, especially if it cannot be done quickly, rotate the credentials personally to get them back to a controlled state (by someone who actually understands the security implications) with the intent to hand them off. Especially if you still _think_ of yourself as responsible for the infrastructure, this is a no-brainer compared to letting anyone else who might be in the same “should have lost access but didn’t, due to negligence” maintain access.

Not a legal defense, but let’s not be too hasty to judge.

saltypal · 4 months ago

I hadn't yet seen it when I wrote this, but 2 is pretty much exactly what Arko says:

> Worried about the possibility of hacked accounts or some sort of social engineering, I took action as the primary on-call engineer to lock down the AWS account and prevent any actions by possible attackers.

https://andre.arko.net/2025/10/09/the-rubygems-security-inci...

saltypal commented on Rubygems.org AWS Root Access Event – September 2025 rubycentral.org/news/ruby... · Posted by u/ilikepi

tptacek · 4 months ago

Presuming, as a group full of security peers kibitzing about this in a chat right now all do, that the "unauthorized actor" here is Andre Arko, this is Ruby Central pretty directly accusing Arko of having hacked Rubygems.org; it depicts what seems to be a black letter 18 USC 1030 violation.

Any part of this narrative could be false, but I don't see a way to read it and take it as true where Arko's actions would be OK.

saltypal · 4 months ago

Putting myself in Arko’s shoes, I can imagine (charitably!) the following choice, realizing that I still have access and shouldn’t:

1. Try to get in touch, quickly, with someone with the power to fix it and explain what needs to be rotated.

2. Absent 1, especially if it cannot be done quickly, rotate the credentials personally to get them back to a controlled state (by someone who actually understands the security implications) with the intent to hand them off. Especially if you still _think_ of yourself as responsible for the infrastructure, this is a no-brainer compared to letting anyone else who might be in the same “should have lost access but didn’t, due to negligence” maintain access.

Not a legal defense, but let’s not be too hasty to judge.

saltypal commented on Google Cloud Incident Report – 2025-06-13 status.cloud.google.com/i... · Posted by u/denysvitali

jitl · 8 months ago

Kotlin is very easily adoptable in existing Java systems and is much safer (although not guaranteed safe)

Zig is fairly easy to adopt in existing C systems and is guaranteed null safe (although not use after free safe)

Rust, although quite safe, bears a fairly high adoption cost as existing code often cannot be ported directly.

Borgo (https://github.com/borgo-lang/borgo) is a nil safe language that compiles to go, so is easily adoptable in existing Go systems.

saltypal · 8 months ago

I would only partially agree that Kotlin is "much safer."

As one example, I just learned (by way of a nasty production app crash) that Kotlin chose to make all checked exceptions silently unchecked. Kind of a stunning own-goal for a language from 2010.