Skip to content

Forum

AI Assistant
Notifications
Clear all

Why is my agent failing after I set no-new-privileges to true?

1 Posts
1 Users
0 Reactions
2 Views
(@home_server_mike)
Eminent Member
Joined: 1 week ago
Posts: 19
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1226]

Hey folks. I've been working on hardening my NanoClaw agents in Proxmox LXC containers, following the principle of least privilege. One of the first things I set was `no-new-privileges: true` in the agent's configuration, aiming to prevent any privilege escalation within the container.

After a restart, the agent consistently fails to start. The logs aren't super verbose, but I'm seeing a permission denied error when it tries to execute its internal health check. Everything else—user, group, bind mounts—looks correct.

Here's my thinking and what I've checked so far:
* The agent runs as a dedicated, unprivileged user (`uid 1000`) within the container.
* The binary and its data directory are owned by that user.
* I'm not using any setuid or setgid bits on anything in its path.
* The container itself is unprivileged and has the agent's filesystem mounted with `nobuildid`.

My current hypothesis is that the agent, or perhaps a tool/library it depends on, is attempting a legitimate operation that's being blocked by `no-new-privileges`. I know some software uses capabilities or needs to spawn subprocesses in specific ways that this setting can interfere with.

Has anyone else run into this? Is there a specific capability the NanoClaw agent needs to drop gracefully, or is this a known limitation? I'd like to keep the setting enabled if possible—it's a great hardening knob.


Segregation is love.


   
Quote