Skip to content

security: run Fishnet as dedicated system user for process isolation#45

Open
iamyxsh wants to merge 1 commit intomainfrom
security/system-user-isolation
Open

security: run Fishnet as dedicated system user for process isolation#45
iamyxsh wants to merge 1 commit intomainfrom
security/system-user-isolation

Conversation

@iamyxsh
Copy link
Collaborator

@iamyxsh iamyxsh commented Mar 16, 2026

Summary

  • Run Fishnet as a dedicated _fishnet system user (macOS) / fishnet user (Linux) via LaunchDaemon/systemd system service instead of user-level LaunchAgent/systemd user service
  • Drop kSecAccessControlUserPresence from Secure Enclave key — OS user separation now protects the key, enabling fully autonomous signing without Touch ID prompts
  • Two-phase fishnet init with --system-only flag for clean system user setup before vault initialization
  • LaunchDaemon-aware fishnet stop using launchctl instead of PID-based SIGTERM

Why

A rogue AI agent running as the same OS user can read Fishnet's process memory via task_for_pid()/ptrace and extract signing keys. No userspace defense (mlock, zeroize, Secure Enclave UserPresence) prevents this. OS-level user separation is the only reliable isolation boundary.

Threat model

root          — human only, never an agent
_fishnet      — runs Fishnet daemon, owns keys + vault
agent_user    — AI agent, firewalled to localhost only

Setup flow

# 1. Create system user
sudo fishnet init --apply-system --system-only

# 2. Init vault as _fishnet
sudo -u _fishnet fishnet init \
  --master-password <pw> \
  --store-derived-key-in-keychain \
  --first-service openai --first-key sk-...

# 3. Install daemon
sudo fishnet service install --apply

Test plan

  • cargo check — compiles clean
  • cargo test — 245 tests pass, 0 failures
  • Manual: verify fishnet service install dry-run prints correct LaunchDaemon plist with UserName=_fishnet
  • Manual: verify fishnet init --system-only --apply-system creates _fishnet user and data dir
  • Manual: verify fishnet stop detects daemon plist and uses sudo launchctl unload
  • Manual: verify Secure Enclave key creation without UserPresence on macOS

🤖 Generated with Claude Code

@iamyxsh @claude
security: run Fishnet as dedicated _fishnet system user for process i…
68dfa6f 
…solation

AI agents running as the same OS user can read Fishnet's process memory
via task_for_pid/ptrace and extract signing keys. No userspace defense
(mlock, zeroize, Secure Enclave UserPresence) prevents this. This change
uses OS-level user separation as the isolation boundary instead.

Key changes:
- LaunchAgent → LaunchDaemon running as _fishnet user (macOS)
- systemd user service → system service with User=fishnet (Linux)
- Drop kSecAccessControlUserPresence from Secure Enclave key — user
  isolation now protects the key, removing the Touch ID prompt that
  blocked autonomous signing
- Two-phase init: --system-only creates the system user, then full init
  runs as _fishnet to set up vault/credentials
- cmd_stop detects daemon plist and uses launchctl instead of PID
- Service install/uninstall use sudo for system-level paths
- Linux env file for vault unlock in systemd EnvironmentFile

Threat model: root=human, _fishnet=daemon, agent_user=AI agent.
Root-as-agent is explicitly unsupported (industry standard).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@iamyxsh