Skip to content

fix(codex-code): don't pre-disable sudo on codex-review job#80

Merged
nsportsman merged 2 commits into
mainfrom
fix/codex-review-harden-runner-sudo
May 30, 2026
Merged

fix(codex-code): don't pre-disable sudo on codex-review job#80
nsportsman merged 2 commits into
mainfrom
fix/codex-review-harden-runner-sudo

Conversation

@nsportsman

Copy link
Copy Markdown
Contributor

Problem

Every Codex PR Review check that actually runs (i.e. on a real code PR, not a docs-only one preflight skips) has been failing org-wide:

responses-api-proxy did not write server info
sudo: a terminal is required to read the password ...
sudo: a password is required
##[error]Process completed with exit code 1

Examples: praetorian-inc/augustus#135, praetorian-inc/pius#72.

Root cause

The codex-review job ran Harden-Runner with disable-sudo-and-containers: true — added in #56 (v2.1.0) and applied uniformly to all 22 Harden-Runner instances as a CVE-2025-32955 baseline. But openai/codex-action manages sudo itself. Its action.yml:

  1. sudo chmod 444 $SERVER_INFO_FILE / sudo chown root $SERVER_INFO_FILE — locks the responses-api-proxy server-info file as root
  2. sudo sysctl … (userns) — "runs before drop-sudo"
  3. Drop sudo privilege — irreversibly removes sudo via safety-strategy: drop-sudo
  4. then runs the untrusted Codex CLI

The action requires passwordless sudo at job start so it can lock resources and then drop it. Harden-Runner's disable-sudo-and-containers: true kills sudo first, so step 1's sudo chmod fails → exit 1 before any review happens.

This is the one job (of the 22) whose action self-manages sudo, so the blanket #56 change broke it. main's green codex checks are false-green — they're preflight skips (^\.github/ is in SKIP_RE); the codex job hasn't actually executed since.

Fix

Set disable-sudo-and-containers: false on the codex-review job only, with an inline comment documenting the trap. Security posture is preserved:

  • safety-strategy: drop-sudo already gives the equivalent guarantee (irreversibly removes sudo before untrusted Codex runs — blocks reading OPENAI_API_KEY via /proc/*/environ).
  • Only trusted first-party steps run during the window where sudo exists (Harden-Runner, checkout persist-credentials:false, the memory-only auth pre-fetch, proxy setup). Codex runs only after drop-sudo.
  • The post-feedback job (which never runs codex-action) keeps disable-sudo-and-containers: true.

Verification

  • python3 -c yaml.safe_load + actionlint clean on the changed file.
  • End-to-end: verified the codex-review job runs past the sudo lockdown with this change (see linked verification run in a comment below).

Rollout note

Fixing this reusable does not unblock callers by itself — they pin @7c1302b (v2.1.0). After this merges and auto-tags, caller pins must be bumped to the new SHA (ENG-3079 sweep). Do not merge #44 (remove .github/ from SKIP_RE) before this lands, or every workflow-touching PR would start hitting the bug.

🤖 Generated with Claude Code

The codex-review job ran Harden-Runner with `disable-sudo-and-containers: true`
(added in #56 / v2.1.0, applied uniformly to all 22 instances). But
openai/codex-action manages sudo itself: it runs `sudo chmod 444` / `sudo chown
root` to lock its responses-api-proxy server-info file, then irreversibly drops
sudo via `safety-strategy: drop-sudo` before the untrusted Codex CLI runs.

With sudo pre-disabled by Harden-Runner, that chmod fails with "sudo: a password
is required" and the action exits 1 before any review runs. This broke every
caller pinned to v2.1.0+ whenever a real (non-docs) PR actually invoked Codex —
e.g. praetorian-inc/augustus#135, praetorian-inc/pius#72.

Fix: set `disable-sudo-and-containers: false` on the codex-review job only and
document why. `safety-strategy: drop-sudo` already provides the equivalent
secret-protection guarantee (removes sudo before untrusted code runs). The
post-feedback job (no codex-action) keeps `disable-sudo-and-containers: true`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented May 30, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@nsportsman, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 33 minutes and 40 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 43086250-bd41-4974-a27d-8bf4dc477730

📥 Commits

Reviewing files that changed from the base of the PR and between de466a5 and 438ecea.

📒 Files selected for processing (1)
  • .github/workflows/codex-code.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/codex-review-harden-runner-sudo

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

Copy link
Copy Markdown

Gemini review skipped — non-code PR (only changed files matching docs/**, .github/**, .claude-plugin/**, *.md, *.txt, images, or license-like files). Post @gemini on a review comment to force a review.

@github-actions

Copy link
Copy Markdown

Claude review skipped — non-code PR (only changed files matching docs/**, .github/**, .claude-plugin/**, *.md, *.txt, images, or license-like files). Post @claude on a review comment to force a review.

@github-actions

Copy link
Copy Markdown

Codex review skipped — non-code PR (only changed files matching docs/**, .github/**, .claude-plugin/**, *.md, *.txt, images, or license-like files). Post @codex on a review comment to force a review.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9220579048

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

# guarantee (blocks reading OPENAI_API_KEY via /proc/*/environ). Only trusted
# first-party steps run while sudo exists; Codex runs only after it's dropped.
# The post-feedback job (no codex-action) keeps disable-sudo-and-containers.
disable-sudo-and-containers: false

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Keep container access disabled for Codex

In the default codex-review path, this turns off the combined Harden-Runner control for both sudo and containers, but openai/codex-action's drop-sudo only removes the runner user's sudo/admin membership; it does not remove Docker/containerd socket access. StepSecurity documents disable-sudo-and-containers as the mitigation that removes Docker/containerd access because a runner user with Docker access can start a privileged container and mount the host filesystem to regain root. A same-repo PR that prompt-injects Codex into invoking Docker can therefore bypass the intended drop-sudo/read-only protection and read host files or process secrets before the review output is posted, so this job needs a way to preserve the container lockdown rather than disabling the combined control entirely.

Useful? React with 👍 / 👎.

@nsportsman

Copy link
Copy Markdown
Contributor Author

Verification (end-to-end) ✅

This PR only touches .github/, so its own codex check is preflight-skipped (^\.github/SKIP_RE). To actually exercise the fix I opened a throwaway PR (#81) carrying this exact change plus a dummy .json so preflight returns has_code=true and the codex-review job runs against the patched codex-code.yml@refs/pull/81/merge.

Result (run 26695306474):

Check Before (v2.1.0, sudo disabled) After (this fix)
codex-review / codex-review ❌ ~30s — sudo: a password is required at sudo chmod 444 $SERVER_INFO_FILE pass (1m16s)
codex-review / post-feedback n/a (never reached) pass — review posted

Log evidence: the sudo chmod 444 / sudo chown root server-info lockdown step ran and proceeded directly to read-server-info → drop-sudo → Codex, with no password error. #81 has been closed and its branch deleted.

(The claude-code-action failure on #81 / the original PRs is a separate, unrelated issue: Anthropic Credit balance is too low — org billing, not this workflow.)

…review

Addresses review feedback on #80: re-enabling sudo via
`disable-sudo-and-containers: false` (needed because codex-action chmod/chown-
locks its proxy server-info file then drops sudo itself) ALSO re-enabled
container access, because Harden-Runner has no container-only control and
codex-action's drop-sudo strips the runner's sudo/admin group but not its
`docker` group. That reopened CVE-2025-32955: a prompt-injected Codex could
`docker run --privileged -v /:/host` to regain root before review output posts.

Fix: add a dedicated step that stops+masks docker/containerd and removes the
docker socket, running while sudo is still available and BEFORE Codex executes.
After codex-action drops sudo, Codex has neither sudo nor a container runtime —
restoring the container half of the lockdown without breaking the sudo the
action requires (all codex-action versions still need it). The step logs
evidence (socket removed, daemon unreachable) before the review runs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@nsportsman

Copy link
Copy Markdown
Contributor Author

@chatgpt-codex-connector confirmed accurate — thanks, this was a real regression, fixed in 438ecea.

Verified the chain against primary sources:

  • CVE-2025-32955 (NVD / Sysdig / GHSA-mxr3-8whj-j74r): Harden-Runner's sudo-disable removes the runner from sudoers, but since the runner user is in the docker group it can still reach the Docker daemon to launch a privileged container and mount the host FS to regain root. disable-sudo-and-containers is the remediation (removes Docker socket access + uninstalls Docker).
  • codex-action (v1.6/v1.7/v1.8): drop-sudo runs drop-sudo --user runner --group sudo — strips the sudo/admin group only, never docker. So you're right: drop-sudo does not close the container path. (All versions still require sudo for the server-info chmod/chown, so there's no action bump that lets us keep the combined control.)
  • Harden-Runner (v2.19.0): only disable-sudo (deprecated) and disable-sudo-and-containers exist — no container-only option. So re-enabling sudo for codex-action unavoidably re-enabled containers too.

Fix: keep disable-sudo-and-containers: false (codex-action needs sudo), but add a dedicated step that stops+masks docker/containerd and removes the socket before Codex runs, while sudo is still available. After codex-action drops sudo, Codex has neither sudo nor a container runtime.

Evidence (clean passing run 26695884656, with the step in place before Run Codex):

docker.socket: inactive
containerd:    inactive
OK: docker socket removed
OK: docker daemon unreachable

Lock down container runtime = success, Run Codex = success, post-feedback = success.

@chatgpt-codex-connector

Copy link
Copy Markdown

To use Codex here, create an environment for this repo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant