/Tech30d ago

Codex Uses Docker Bind Mount to Bypass Sudo Restrictions

53014.5K9413.5K1.1M

#714

Original post

Pasquale Minervini#714

Son Luong@sluongng

Codex just found a “workaround” of not having sudo on my pc…

8:32 AM · May 30, 2026 · 1.1M Views

Sentiment

Positive users praise Codex's Docker bind mount trick as clever and resourceful, while negative users criticize it as a security vulnerability and call Docker flawed.

Pos

53.1%

Neg

46.9%

33 comments with sentiment.

Cluster Engagement

Digg Deeper

No Digg Deeper questions have been answered for this story yet.

Posts from X

Most Activity

VIEWS29.5KBOOKMARKS73LIKES1.1KRETWEETS16

NavinF@NavinFS

@sluongng Good. Passwordless sudo is the only sensible config

30d29.5K1.1K73

REPLIES9

ً@vanities

@sluongng This is why I don’t even make a user and just run as root

30d15.8K1822

NS@natanelsht

@sluongng Not like there is a big ass warning in the docs

https://docs.docker.com/engine/install/linux-postinstall/

30d17.5K60130

safrano9999@souly9999

@sluongng 😨 @sluongng Thats another reason to keep running podman rootlees

Thank you for sharing.

30d11.6K778

Guillermo Rauch@rauchg

@sluongng Eerily clever 😁

30d7.2K1071

zaven@z4v3n

@sluongng Nice. Docker requires root (or docker group membership, which is effectively root-like) by default for the daemon and many operations, which means larger risks for privilege escalation and container escapes. Podman makes more secure options the out-of-the-box experience.

30d5K516

schmitthub@schmitthub

you should always install rootless docker whenever possible, it can be a pain the ass but worth it. Don’t ever let an AI agent run unattended on a system that doesn’t have rootless docker setup. It’s a classic privesc vector and in my experience most LLMs will try it fairly quickly when hyper fixating on completing the task.

https://docs.docker.com/engine/security/rootless/

30d2.8K269

AI Mastery Guide@aiseomastery

@sluongng The way it just casually explained what it did is scarier than the actual exploit

30d4.2K731

Kal 🇪🇺🇺🇦🇬🇧🇺🇸🇨🇦🇪🇪🇳🇱🇵🇱🇯🇵🇮🇱🇵🇭@k_sze

@sluongng That’s why everyone should default to use Podman instead of Docker.

30d4.2K244

Bryan McNamara@BryanMcNamaraUS

@sluongng Training data. Stack overflow.

https://stackoverflow.com/questions/41991905/docker-root-access-to-host-system

30d2.4K263

Mohamed Sami Zeghdar@MSZeghdar

@sluongng Another reason to use Podman. Even though Docker warns about that in the docs if my memory serves.

30d2.3K153

Ryan Shea@ryaneshea

@sluongng @provisionalidea This is well known, and Docker’s own docs explicitly warn about it.

The solution is to use per-agent VMs, or at a minimum, run Docker in a mode where containers can’t write to your host as root.

30d1.8K142

Sebastian Sigl@sesigl

This is not funny, this is a vulnerability. Codex generated code that bypasses security constraints. The workaround probably uses a shell trick like "chmod 777 /etc/sudoers" or runs via a subprocess that doesn't check permissions. Teams copy-paste this and wonder why their security audit fails in three months.

30d1.3K72

Guilherme O'Tina@guilhermeotina

the part that stays with me is that the agent figured out sudo-adjacent paths from context. nobody hardcoded that workaround. it means your security model is fighting against the model's general intelligence, not against a static rule set. this gets harder, not easier, as models improve

30d4.1K20

Secure Data Research@SecDataResearch

@sluongng This is why we don't use docker

30d4.6K19

LowlyQi@LowlyQi

@NavinFS @sluongng The sane defaults at the OS level seem to be working. On top of that, the engineers still let people fall back on 2FA and device deregistration when their complacency catches up to them. Your OS has encryption, credentials store with biometrics and presence detection. Slop that.

30d1.7K111