How to Prevent AI Agents from Modifying System Configuration
To prevent AI agents from modifying /etc/, system settings, shell profiles, and OS configuration files, use SafeClaw action-level gating to block file_write and shell_exec actions targeting system paths. SafeClaw denies system-level modifications before the agent can make them. Install with npx @authensor/safeclaw.
The Risk
System configuration files control how your operating system, network, services, and shell environment behave. /etc/hosts controls DNS resolution. /etc/passwd and /etc/shadow control user accounts. ~/.bashrc and ~/.zshrc execute code every time you open a terminal. /etc/sudoers controls root access. ~/.ssh/config controls SSH connection behavior. crontab schedules recurring commands.
When an AI agent modifies these files, the effects are system-wide and persistent. A bad /etc/hosts entry redirects your traffic to the wrong server. A modified ~/.bashrc runs arbitrary code in every new shell session. A corrupted /etc/resolv.conf breaks DNS resolution for the entire machine. A modified crontab runs commands on a schedule, potentially long after the agent session ends.
Agents modify system files when asked to "fix networking issues," "set up the development environment," or "configure the project." These are legitimate tasks that can lead to echo 'export PATH=...' >> ~/.bashrc or sudo sh -c 'echo "127.0.0.1 api.example.com" >> /etc/hosts'. If the agent makes a mistake — wrong syntax, wrong file, wrong value — the result is a broken system that may not manifest until your next login, reboot, or service restart.
System config changes also persist beyond the agent session. Unlike a bad code change that you can revert with git, a corrupted system file requires manual recovery, often from a different terminal or recovery mode.
The One-Minute Fix
Step 1: Install SafeClaw.
npx @authensor/safeclawStep 2: Get your free API key at safeclaw.onrender.com (7-day renewable, no credit card).
Step 3: Add this policy rule:
- action: file_write
pattern: "^/etc/|bashrc|zshrc|profile$|crontab|\\.bash_profile"
effect: deny
reason: "System configuration modification blocked"The agent can no longer write to system configuration files or shell profiles.
Full Policy
name: block-system-config
version: "1.0"
defaultEffect: deny
rules:
# Block writes to /etc/
- action: file_write
pattern: "^/etc/"
effect: deny
reason: "System config directory write blocked"
# Block shell profile modifications
- action: file_write
pattern: "\\.(bashrc|zshrc|bash_profile|profile|zprofile|bash_login|bash_logout)"
effect: deny
reason: "Shell profile modification blocked"
# Block crontab modifications
- action: shell_exec
pattern: "crontab\\s+(-e|-r|-l.\\|)|echo.>>.*cron"
effect: deny
reason: "Crontab modification blocked"
# Block sudo commands
- action: shell_exec
pattern: "sudo\\s+"
effect: deny
reason: "Sudo execution blocked"
# Block systemd and service management
- action: shell_exec
pattern: "systemctl\\s+(enable|disable|start|stop|restart)|service\\s+\\w+\\s+(start|stop|restart)"
effect: deny
reason: "Service management blocked"
# Block launchctl on macOS
- action: shell_exec
pattern: "launchctl\\s+(load|unload|bootstrap|bootout)"
effect: deny
reason: "macOS service management blocked"
# Allow project file writes
- action: file_write
pattern: "/(src|lib|test|tests|docs|public|dist|build)/"
effect: allow
reason: "Project directory writes permitted"
What Gets Blocked
These action requests are DENIED:
{
"action": "file_write",
"path": "/etc/hosts",
"agent": "network-helper",
"result": "DENIED — System config directory write blocked"
}{
"action": "file_write",
"path": "/home/user/.bashrc",
"agent": "setup-assistant",
"result": "DENIED — Shell profile modification blocked"
}{
"action": "shell_exec",
"command": "sudo systemctl restart nginx",
"agent": "deploy-agent",
"result": "DENIED — Sudo execution blocked"
}What Still Works
These safe actions are ALLOWED:
{
"action": "file_write",
"path": "/home/user/project/src/config.ts",
"agent": "code-assistant",
"result": "ALLOWED — Project directory writes permitted"
}{
"action": "file_write",
"path": "/home/user/project/tests/auth.test.ts",
"agent": "code-assistant",
"result": "ALLOWED — Project directory writes permitted"
}Your agent can still write source code, tests, documentation, and project configuration. It just can't modify system-level files, shell profiles, or services.
Why Other Approaches Don't Work
File permissions and sudo protect /etc/ files from non-root users. But shell profiles (~/.bashrc, ~/.zshrc) are owned by your user and writable without sudo. The agent can modify these freely. And if the agent has access to your sudo password (from .env or conversation context), it can escalate.
Docker containers provide a separate filesystem, but agents often need to write files in your project directory. If the container has write access to mounted volumes, and your shell profile is in the mounted path, the agent can modify it. Container-based isolation also doesn't help with macOS development environments where Docker adds complexity.
Read-only filesystem mounts cripple the agent — it needs to write source code, tests, and project configs. You can't make the filesystem read-only and still have a useful coding agent.
Prompt instructions ("don't modify system files") break when the agent interprets "set up the dev environment" as requiring shell profile modifications. Prompt injection can override system prompts entirely.
SafeClaw evaluates every file_write and shell_exec action against path and pattern rules in sub-millisecond time. Deny-by-default means any path not explicitly in your allow list is blocked — including system paths you didn't think of. Every denied action is logged in a tamper-proof audit trail (SHA-256 hash chain). 446 tests, TypeScript strict mode, zero third-party dependencies. You can test policies in simulation mode before enforcing them.
Cross-References
- How to Prevent AI Agents from Running rm -rf
- Config File Overwrite Threat
- Privilege Escalation via Sudo Threat
- Least Privilege for Agents
- SafeClaw vs File Permissions
Try SafeClaw
Action-level gating for AI agents. Set it up in your browser in 60 seconds.
$ npx @authensor/safeclaw