CONCEPT Cited by 1 source
Agent with root shell¶
Definition¶
Agent with root shell is a coding-agent deployment posture where the LLM agent's capability surface is a full Linux shell with root privileges, not a narrow allowlist of pre-enumerated tools. The agent can install packages, edit arbitrary files, start background services, probe the filesystem, and run any binary the environment ships — the whole Linux environment is its tool surface.
Containment comes from the environment perimeter (a disposable VM, typically a Firecracker-class micro-VM), not from a narrow per-tool permission system inside a long-lived runtime.
Canonical wiki statement¶
Fly.io, 2025-06-20, on Phoenix.new:
A fully isolated virtual machine means Phoenix.new's fingernails can get arbitrarily dirty. If it wants to add a package to
mix.exs, it can do that and then runmix phx.serverormix testand check the output. Sure. Every agent can do that. But if it wants to add an APT package to the base operating system, it can do that too, and make sure it worked. It owns the whole environment.(Source: sources/2025-06-20-flyio-phoenixnew-remote-ai-runtime-for-phoenix)
The load-bearing phrase is "it owns the whole environment." The agent doesn't have a list of allowed tools; it has a shell.
Why this works (when it works)¶
- The environment is ephemeral. Any damage the agent causes evaporates at session end. See concepts/ephemeral-dev-environment + patterns/disposable-vm-for-agentic-loop.
- Hardware-level isolation bounds the blast radius. Fly Machines are Firecracker micro-VMs — the agent can root the guest and that's fine because the guest is a KVM-isolated VM the tenant doesn't share with anyone.
- The agent's goal is code. For a coding agent, the "full
Linux environment" is the natural tool surface. Every tedious
setup step a narrow-tool agent would have to be granted
explicit permission for (install Postgres client, add apt
package for
imagemagick, adjustLD_LIBRARY_PATH) is just what a developer would do in a shell.
Contrast with adjacent postures¶
vs narrow-tool / capability-scoped agents¶
concepts/capability-based-sandbox (Cloudflare Project Think, EmDash Dynamic Workers) reaches safety by scoping what the agent can do inside the runtime to a declared capability manifest. The runtime is long-lived; the perimeter is fine-grained.
Agent-with-root-shell reaches safety by making the whole environment disposable. The perimeter is coarse-grained (VM boundary), and the agent's freedom inside is maximal.
Both answer "how do you let an agent run arbitrary code safely." They're not in opposition; they occupy different points on the trade-off curve:
| Axis | Capability sandbox | Agent with root shell |
|---|---|---|
| Perimeter granularity | Fine (per-capability) | Coarse (VM boundary) |
| Environment lifetime | Long-lived | Ephemeral |
| Setup overhead | Declare + grant capabilities | apt install |
| Multi-tenancy density | High (many tenants / runtime) | One tenant / VM |
| Blast radius of escape | Runtime compromise → host | VM escape → host |
| Best fit | Serving untrusted code | Serving an agent that needs full tooling |
vs tool-allowlisted agents¶
Many coding agents (Cursor agent, Aider, Codex CLI) are
capability-granted at the host level ("can run npm install
with user confirmation"). Same distinction: they're safe because
the host is the user's laptop and confirmations gate each
mutation; Phoenix.new's agent is safe because the host is a
disposable VM.
Caveats¶
- VM escapes still matter. "The VM is disposable" doesn't help if the agent escapes the VM. Firecracker's small attack surface makes this much less likely than for general-purpose hypervisors, but it's still the threat model.
- Network reach within the session window. The agent has root in the VM, which means it has the VM's network posture. Fly.io Machines have WireGuard reach into the org's private network. If the session is authorised to talk to a production DB, a compromised agent within the session window can too.
- Credential scoping matters more, not less.
ghtokens, cloud-provider keys, DB credentials inside the VM are not walled off by the runtime; they're in the root shell. Scoping these to just this session is load-bearing. - Context-window cost. The agent's tool surface is the whole shell — but it still has to reason about that surface inside its context window. Agent-with-root-shell doesn't eliminate prompt design; it just shifts the design from "tell the agent what tools exist" to "tell the agent how to use a Linux shell."
Seen in¶
- sources/2025-06-20-flyio-phoenixnew-remote-ai-runtime-for-phoenix — Phoenix.new ships this posture as the product default: every per-session Fly Machine gives the agent a root shell shared with the developer.
Related¶
- concepts/agentic-development-loop — the closed loop the shell serves.
- concepts/capability-based-sandbox — contrast posture.
- concepts/ephemeral-dev-environment — the ephemerality precondition that makes the posture safe.
- systems/phoenix-new — canonical instance.
- systems/fly-machines — substrate (Firecracker VM perimeter).
- patterns/ephemeral-vm-as-cloud-ide — productisation.
- patterns/disposable-vm-for-agentic-loop — motivating pattern.