_______ __ _______
| | |.---.-..----.| |--..-----..----. | | |.-----..--.--.--..-----.
| || _ || __|| < | -__|| _| | || -__|| | | ||__ --|
|___|___||___._||____||__|__||_____||__| |__|____||_____||________||_____|
on Gopher (inofficial)
HTML Visit Hacker News on the Web
COMMENT PAGE FOR:
HTML macOS's Little-Known Command-Line Sandboxing Tool (2025)
LowLevelKernel wrote 9 hours 55 min ago:
Linux equivalent? Anything for Ubuntu?
How different is it than a .venv?
sciencesama wrote 18 hours 2 min ago:
If there is a gui i can deploy custom browsers for classroom for
labbing !
whalesalad wrote 19 hours 17 min ago:
> Sandbox profiles use a Scheme-like syntax (a LISP dialect) with
parentheses grouping expressions.
Wow this is cool
bdash wrote 20 hours 28 min ago:
See [1] for more details on how sandboxing works on macOS. It touches
on how the SBPL Scheme source code is interpreted in userspace to build
a bytcode representation of the policy, and the kernel MAC hooks that
the Sandbox kernel extension uses for enforcing sandbox policies.
HTML [1]: https://bdash.net.nz/posts/sandboxing-on-macos/
innagadadavida wrote 20 hours 45 min ago:
I went down the sandbox-exec rabbit hole recently trying to get a
âsafe shellâ for poking at random GitHub projects. I eventually
realized I was solving the wrong problem.
For development you usually donât need a kernel policy language - you
mostly want:
1. builds not trashing your real $HOME
2. no dotfiles/config pollution
3. some basic separation if a project does something dumb
A much simpler (and more reliable) alternative on macOS is just a
dedicated throwaway user account. macOS already isolates home
directories, keychains, and app state per-user, so you get a practical
sandbox without fighting SBPL quirks or mysterious denials.
My workflow now: I have a user called rsh. I clone and build everything
there. My real home directory stays clean. If a project goes crazy, it
only damages /Users/rsh
It also avoids the â1000 hidden files in your home folderâ problem
that a lot of language ecosystems cause.
Minimal setup :
sudo sysadminctl -addUser rsh -password $(LC_ALL=C tr -dc A-Za-z0-9
viraptor wrote 18 hours 55 min ago:
> clone repos into ~/projects
Cloning them there means leaving access to your SSH keys, right?
tonymet wrote 21 hours 2 min ago:
You can tell MacOS was developed by OS nerds but stifled by product
managers. There are a lot of gems like Sandboxing and Hyperkit with
incredible features and practically no user interface.
otterley wrote 19 hours 32 min ago:
Why is not spending resources to develop infrequently-used features
that aren't revenue streams "stifling"? Granted, I too would love to
have nice UIs for those out of the box, but > 99.9% of Mac users
don't care, and 3rd-party developers can pick up the slack and maybe
make some money filling the gap.
tonymet wrote 19 hours 14 min ago:
that's the short-term, MBA-style mindset to which I'm referring.
Much of the popularity of MacOS came from the open source community
filling that gap despite lacking support. So there is clearly
demand that the PMs were not tapping into.
It would be fine if Apple was providing the APIs, docs and support
to stimulate 3rd party tools. Hyperkit sat undocumented for 15+
years until a proper hypervisor platform was built on top of it.
This sandboxing framework is another example.
simonw wrote 21 hours 31 min ago:
If Apple wanted to win back some serous credibility in the AI field
there are two very low hanging fruit that they could use:
- Announce that they are no longer going to deprecate sandbox-exec and
instead publish detailed documentation for it
- Add a reliable "select all" option to the iOS copy/paste menu
VogonPoetry wrote 15 hours 2 min ago:
I am not sure using sandbox-exec is a good security architecture for
AI agents. It sure is convenient and available to everyone right now.
I've made another comment elsewhere in this discussion about what I
think "deprecated" means - it is a sharp tool that could break if not
tracking everything that changes, including every change in a SW
update. It is also easy to get wrong if there is not a "(default
deny)" in the profile. An agent could escape if they can find a mach
service or some other system call coordinated proxy service. Java,
Silverlight and Flash had backdoor communication mechanisms with
other instances of themselves that could be abused.
bigyabai wrote 17 hours 40 min ago:
"If" indeed. Apple has a trillion-dollar AI market staring themselves
in the face, and they can't even find it in them to sign CUDA drivers
for their own good.
The features you're describing would not buy them credibility in the
AI field anyhow. They would certainly plaster over some of macOS and
iOS' more embarrassing limitations, but professional AI deployments
are not hamstrung by those limits. It's just the commodity
homelabbers who want to brag about buying a 120gb GPU with anemic
compute performance. Apple doesn't need to curry favor with those
people, they'd buy the hardware for the luls regardless of what the
software experience is like.
viraptor wrote 18 hours 58 min ago:
Apple is going to Apple. They're as likely to remove the deprecation
as they are to restrict it to first party apps only. They don't care
about devs.
mixtureoftakes wrote 21 hours 55 min ago:
what is with the ai written articles lately? and ai designed websites?
who looks at it and goes "yes, ill upvote this. more people should see
it."?
kyralis wrote 19 hours 29 min ago:
what is with people who are convinced everything is written by ai
with no evidence lately?
selridge wrote 21 hours 53 min ago:
This content was from a year ago and was not written by AI.
parentheses wrote 22 hours 8 min ago:
This tool is not just used for safety. ;)
You can spoof or disappear a mashed file.
You can trigger vulnerabilities by breaking internal assumptions of a
program.
ksherlock wrote 22 hours 21 min ago:
alias sandbox-no-network='sandbox-exec -p "(version 1)(allow
default)(deny network*)"'
pro-tip on alias:
for sh-compliant shells, including a whitespace at the end of the alias
string causes the next token to also go through alias expansion.
(maybe it would also be a hint to the shell for tab completion as
well). This is a perfect example of when, where, and why you would
want to do that.
cjbarber wrote 22 hours 26 min ago:
See also: [1] [2] [3] (I've been collecting different tools for
sandboxing coding agents)
HTML [1]: https://github.com/obra/packnplay
HTML [2]: https://github.com/strongdm/leash
HTML [3]: https://github.com/lynaghk/vibe
jpeeler wrote 20 hours 55 min ago:
I've been collecting a list of sandboxing related projects as well,
some lower level than others. I wish I had time to evaluate them all:
- [1] - [2] - [3] - [4] - [5] - [6] - [7] (not new)
- [8] - [9] - [10] - [11] - [12] - [13] - [14] - [15] - [16] - [17] -
[18] - [19] - [20] - (another list on HN Deno Sandbox: [21] )
- Did not check if any/all of these are here: [22]
HTML [1]: https://github.com/jingkaihe/matchlock
HTML [2]: https://github.com/mishushakov/libkrun-go
HTML [3]: https://github.com/earendil-works/gondolin
HTML [4]: https://github.com/butter-dot-dev/bvisor
HTML [5]: https://github.com/amlalabs/amla-sandbox
HTML [6]: https://github.com/eryx-org/eryx
HTML [7]: https://github.com/containers/bubblewrap
HTML [8]: https://github.com/coplane/localsandbox
HTML [9]: https://github.com/sd2k/conch
HTML [10]: https://github.com/Gerharddc/litterbox
HTML [11]: https://github.com/finbarr/yolobox
HTML [12]: https://github.com/coventry/sandbox-codex
HTML [13]: https://github.com/osks/ctenv
HTML [14]: https://github.com/tianon/gosu
HTML [15]: https://github.com/colony-2/shai
HTML [16]: https://github.com/rcarmo/agentbox
HTML [17]: https://github.com/coder/httpjail
HTML [18]: https://github.com/bytecodealliance/componentize-py
HTML [19]: https://github.com/tursodatabase/agentfs
HTML [20]: https://github.com/always-further/nono
HTML [21]: https://news.ycombinator.com/item?id=46876022
HTML [22]: https://github.com/arjan/awesome-agent-sandboxes
johnmw wrote 16 hours 31 min ago:
Also (in case people haven't already seen this), I recently
discovered Docker now has an easy way to run agents in a sandbox,
ie:
docker sandbox run claude ~/project-a
HTML [1]: https://docs.docker.com/ai/sandboxes/
selridge wrote 20 hours 48 min ago:
Got a weird one
HTML [1]: https://github.com/Protonk/PAWL
cjbarber wrote 22 hours 24 min ago:
And from this thread I also see: [1] via CGamesPlay [2] via davidcann
HTML [1]: https://github.com/eugene1g/agent-safehouse
HTML [2]: https://multitui.com/
blahgeek wrote 22 hours 54 min ago:
Although macOS do provide many little known useful tools (besides this,
thereâs also dtrace, pf, etc), I still run a Linux VM in my MacBook
for daily work. Thing is, the effort I spend on learning these tools is
almost wasteful unless Iâm doing iOS or macOS development. Skills
about Linux tools however, is something people considered valuable
because of its wider application. I think apple is missing
opportunities by not doing more about macOS Server platform.
chaostheory wrote 23 hours 1 min ago:
Are sandbox-exec and seatbelt no longer deprecated? I genuinely donât
know. I am asking
selridge wrote 22 hours 47 min ago:
Still deprecated. Still in use by everyone.
lyaocean wrote 23 hours 30 min ago:
I'd add one warning for folks who haven't used it before: a tiny typo
in the profile can turn into confusing runtime failures later, far away
from the command that triggered them. The tool is useful, but the
feedback loop is rough.
xyzzy_plugh wrote 23 hours 32 min ago:
It drives me nuts that sandbox-exec has "sandbox" in the name, since
it's nothing like a real sandbox, and much closer to something like a
high-level seccomp, and not much to do with "App Sandboxes" which is a
distinct macOS feature.
IMO a real sandbox let's a program act how it wishes without impacting
anything outside the sandbox. In reality many of these tools just cause
hard failures when attempting to cross the defined boundaries.
It's also poorly documented and IIRC deprecated. I don't know what is
supposed to replace it.
If macOS simply had overlay mounts in a sandbox then it would unlock so
much. Compared to Linux containers (docker, systemd, bubblewrap, even
unshare) macOS is a joke.
m132 wrote 20 hours 29 min ago:
> not much to do with "App Sandboxes" which is a distinct macOS
feature
The App Sandbox is literally Seatbelt + Cocoa "containers". secinitd
translates App Sandbox entitlements into a Seatbelt profile and that
is then transferred back to your process via XPC and applied by an
libsystem_secinit initializer early in the process initialization,
shortly before main(). This is why App Sandbox programs will crash
with `forbidden-sandbox-reinit` in libsystem_secinit if you run them
under sandbox-exec. macOS does no OS-level virtualization.
bdash wrote 19 hours 51 min ago:
It is a little more direct than that even. The application's
entitlements are passed into the interpretation of the sandbox
profile. It is the sandbox profile itself that determines which
policies should be applied in the resulting compiled sandbox policy
based on entitlements and other factors.
An example from /System/Library/Sandbox/Profiles/application.sb,
the profile that is used for App Sandboxed applications, on my
system:
(when (entitlement
"com.apple.security.files.downloads.read-only")
(read-only-and-issue-extensions (home-subpath
"/Downloads")))
(when (entitlement
"com.apple.security.files.downloads.read-write")
(read-write-and-issue-extensions (home-subpath
"/Downloads")))
(when (or (entitlement
"com.apple.security.files.downloads.read-only")
(entitlement
"com.apple.security.files.downloads.read-write"))
(allow process-exec (home-subpath "/Downloads")))
simonw wrote 21 hours 30 min ago:
Sandbox-exec covers everything I personally expect from a sandbox:
- controls which files the process can read and write
- controls what network access the process is allowed
gobdovan wrote 22 hours 41 min ago:
What you're describing is a resource virtualization with
transactional reconciliation instead of program isolation in the
mediation sense (MAC/seccomp-style denial).
To let a program act as it wishes, ideally every security-relevant
mutable resource must be virtualized instead of filtered. Plus, FS is
only one of the things that should be sandboxed. You should also
ideally virtualize network state at least, but ideally also
process/IPC namespaces and other such systems to prevent leaks.
You need to offer a promotion step after the sandbox is over (or even
during running if it's a long-running program) exposing all sandbox's
state delta for you to decide selective reconciliation with the host.
And you also must account for host-side drift and TOCTOU hazards
during validation and application
I'm experimenting with implementing such a sandbox that works
cross-system (so no kernel-level namespace primitives) and the amount
necessary for late-bound policy injection, if you want user comfort,
on top of policy design and synthetic environment presented to the
program is hair-pulling.
m132 wrote 20 hours 19 min ago:
> I'm experimenting with implementing such a sandbox that works
cross-system (so no kernel-level namespace primitives) and the
amount necessary for late-bound policy injection, if you want user
comfort, on top of policy design and synthetic environment
presented to the program is hair-pulling.
Curious, if this is cross-platform, is your design based on
overriding the libc procedures, or otherwise injecting libraries
into the process?
Also obligatory
HTML [1]: https://xkcd.com/2044/
gobdovan wrote 19 hours 45 min ago:
I'm not interposing libc or injecting libraries. Guests run as
WASM modules, so the execution substrate is constrained. The host
mediates and logs effects. Changes only propagate via an
explicit, policy-validated promotion step.
_wire_ wrote 23 hours 17 min ago:
> If macOS simply had overlay mounts in a sandbox then it would
unlock so much. Compared to Linux containers (docker, systemd,
bubblewrap, even unshare) macOS is a joke.
You'll want to look into Homebrew (or Macports) for access to the
larger world
TingPing wrote 22 hours 9 min ago:
They are discussing a Linux kernel feature. Docker/Podman on macOS
launch a virtual machine to function.
ImJasonH wrote 23 hours 35 min ago:
Both Claude Code and Codex use sandbox-exec with Seatbelt to sandbox
execution:
- [1] -
HTML [1]: https://developers.openai.com/codex/security/#os-level-sandbox
HTML [2]: https://code.claude.com/docs/en/sandboxing
bootlooped wrote 22 hours 58 min ago:
It weirds me out a bit that Claude is able to reach outside the
sandbox during a session. According to the docs this is with user
consent. I would feed better with a more rigid safety net, which is
why I've been explicitly invoking claude with sandbox-exec.
kermatt wrote 23 hours 40 min ago:
Interesting config used a Scheme-like format. Any ideas on how that
came to be?
comex wrote 22 hours 15 min ago:
Technically, itâs not just Scheme-like but literally a Scheme
interpreter (TinyScheme). However, the Scheme isnât being executed
to make individual sandboxing decisions. Itâs just executed once
while parsing the config, to build up a binary sandbox definition
which is what the kernel ultimately uses to make decisions (using a
much more limited-purpose, non-Turing-complete execution engine).
selridge wrote 21 hours 55 min ago:
Do we know that engine is not Turing-complete for sure?
VogonPoetry wrote 17 hours 34 min ago:
The runtime engine is not known to be turning complete. It has no
expressions and cannot loop, only forward jumps are permitted.
epistasis wrote 23 hours 20 min ago:
I was given trauma from my decades of ELisp configuration for
emacs...
Writing a parser for Lisp S-expressions is dead-simple, I wonder if
that's why they used the format.
cwicklein wrote 23 hours 27 min ago:
I believe GUIX is implemented in Scheme which makes Scheme a natural
choice for expressing configuration. Lisp tend to be a natural
configuration format for anything written in Lisp. Highly functional
configuration processing comes practically for free.
Someone wrote 23 hours 42 min ago:
[1] :
âThe sandbox-exec command is DEPRECATED. Developers who wish to
sandbox an app should instead adopt the App Sandbox feature described
in the App Sandbox Design Guideâ
That still is the case for MacOS 26.3 ( [1] )
MacOS 10.13.6 is from 2017, so this has been deprecated for almost 10
years.
HTML [1]: https://man.freebsd.org/cgi/man.cgi?query=sandbox-exec&apropos...
HTML [2]: https://man.freebsd.org/cgi/man.cgi?query=sandbox-exec&apropos...
extra88 wrote 20 hours 22 min ago:
Meh, cron on OS X/macOS has been deprecated for over 20 years.
egorfine wrote 19 hours 50 min ago:
And its binary is banned on certain macOS installations. I have two
identical mac minis with the very same OS version. On one cron
runs, on the other the cron binary doesn't run (killed: 9) even if
I re-sign the binary in different location with my own codesigning
identity. It's that banned.
extra88 wrote 17 hours 56 min ago:
Why would Apple "ban" a binary they ship with the OS? If I just
run /usr/sbin/cron on my Apple Silicon Mac, the output is
"Killed: 9" but if I actually create a crontab for a user, it
works.
egorfine wrote 15 hours 37 min ago:
crontab exits immediately on one of the macs. The other had
crontabs prior to upgrading to 15.something.
derefr wrote 18 hours 10 min ago:
That's fascinating. I'd love to see a shasum tree of both OS
installs to know if this was due to some path-dependent upgrade
sequence one of the machines went through; or whether this is
down to some sub-model-number hardware-component stepping issue
with power efficiency or something, that only one of the machines
is affected by, where the implemented launchd solution is "don't
let cron run."
egorfine wrote 15 hours 22 min ago:
The one machine where cron was working, had crontabs prior to
upgrade to 15.x. The other had none.
I have googled back then and discovered that yes Apple
specifically want us to suffer with their braindamaged launchd
instead of cron, and thus they went to extraordinary lengths to
get rid of working tools.
Anyway, cron is easy to rebuild from sources, so that's what I
did.
cpach wrote 22 hours 21 min ago:
Does anyone have any details regarding the deprecation? I wonder why
Apple made this decision.
VogonPoetry wrote 17 hours 41 min ago:
"sandbox-exec" is deprecated in the sense of "please don't use this
method to run sandboxes" rather than the mechanism going away.
If you are using "sandbox-exec" then you are likely maintaining
your own seatbelt profile. Keeping those up to date can be
challenging, especially for 3rd parties as any changes to
underlying Frameworks and libraries can break a hand crafted
profile.
If you are using it to secure your own stuff and accept this and
not complain, even for minor SW updates, then you are going to be
fine. Don't ship things to 3rd parties without also accepting this.
That is what this deprecated means.
selridge wrote 22 hours 1 min ago:
Thereâs not that much detail. A few comments in 2019 from a DTS
person indicated that Apple didnât really anticipate people
shipping on this in volume. My guess is they want to dissuade
people from using it.
They canât immediately just do away with it because a bunch of
their first party apps use it (entitlements donât cut it). Itâs
a weird space.
js2 wrote 21 hours 7 min ago:
> a DTS person
Quinn the Eskimo, no doubt. I'm convinced he or she is the only
actual human being providing developer technical support at
Apple. Certainly the only one I've ever successfully communicated
with. Support tickets go to robots who are incapable of providing
relevant answers. Maybe Quinn is an alias with a team of humans
behind it, but I don't think so. I've had him or her take forum
posts to private e-mail and it does seem like a single person.
Unfortunately, even Quinn is fully at the mercy of Apple's
internal bureaucracy, which is quite formidable.
frizlab wrote 19 hours 25 min ago:
Not the only one, but the most prolific thatâs for sure.
selridge wrote 20 hours 50 min ago:
Yeah, it was Quinn. I didnât want to name them and seem too
knowing haha.
js2 wrote 19 hours 47 min ago:
It's not much of a giveaway. Quinn is the most likely
respondent to questions on [1] for years now, including this
one about sandbox-exec in 2019: [1] thread/124284
:-)
HTML [1]: https://developer.apple.com/forums/
HTML [2]: https://developer.apple.com/forums/thread/124284
TingPing wrote 22 hours 12 min ago:
I donât know if there are problems with this tool, but the App
Sandbox is very configurable and every app store app is in one. It
doesnât make sense to maintain two different complex sandboxing
solutions.
bdash wrote 20 hours 16 min ago:
App Sandbox is fundamentally a way for programs to use the
underlying sandbox subsystem without having to write SBPL code
themselves. When a program has opted into the App Sandbox, the
system applies one of these sandbox policies automatically during
app initialization. The policy examines the entitlements of the
application to determine which additional resources should be
permitted. See /System/Library/Sandbox/Profiles/application.sb if
you're curious.
By far the biggest advantage of App Sandbox is that the policy
ships along with the OS. If a system framework changes what
resources it accesses in a software update, Apple can update the
policy so the framework functionality still works. If your app
uses a custom sandbox policy, you're on your own to both notice
that something has changed and to update your policy.
The downside is that the App Sandbox policy is limiting and
inflexible.
jen20 wrote 21 hours 45 min ago:
If swift package manager is using it (I believe it is based on
some of the error messages I occasionally see from it),
deprecating it is difficult, since SPM is not distributed as an
App Store app.
selridge wrote 21 hours 58 min ago:
Thatâs not true. Lots of appleâs own first party apps use
SBPL to sandbox because the entitlement granularity doesnât cut
it. Thereâs also lots of apps on the MAS which use
temporary-exception SBPL to fully sandbox.
I agree that there is no sense in operating dual systems, but
entitlements canât replace SBPL yet.
VogonPoetry wrote 17 hours 3 min ago:
The Sandboxing and Entitlements mechanisms are very different.
Sandboxing can only drop access to resources, it cannot grant
access that was not already there [1]. Entitlements are all
about giving additional selective privileges or to make the
sandbox NOT remove access (like full disk access or debug
ability ). Entitlements are bound to processes only and are
non-transferable. This is in contrast to a capability based
system where they can be passed around. Reasoning about
capabilities is challenging because analysis effectively
requires global knowledge of the system. Binding entitlements
to libraries or Frameworks would turn them into capabilities.
[1] a GUI app can restore access to files by using a trusted
external selection process.
Edit: change footnote reference to prevent markup error.
selridge wrote 16 hours 36 min ago:
This is true. I was being brash. Let me say instead that the
split in reasoning and evaluation as it exists on macOS in
this area is rough and potentially not needed. Granted, I
don't have a better answer in my back pocket, and the fact
that Apple has kicked the can for 15 years on trying to
harmonize these is a sign it's hard.
VogonPoetry wrote 15 hours 37 min ago:
Does this mean you tried to ship an App in the Apple App
Store but could not because of some restriction?
MillionOClock wrote 23 hours 0 min ago:
I wonder how many major applications and tools depend on sandbox-exec
today despite that depreciation, IIRC I can think of the Codex CLI
and Swift Package Manager.
selridge wrote 22 hours 49 min ago:
Claude, Firefox, safari, chrome, etc etc etc etc
Basically everyone who has to care about security on the Mac.
theowaway213456 wrote 21 hours 42 min ago:
Bazel as well.
frizlab wrote 19 hours 26 min ago:
and Homebrew!
throw0101c wrote 23 hours 54 min ago:
Do any of the third-party package managers (Brew, MacPorts) perhaps use
this for things like builds (or even installs, if things are restricted
to (e.g.) /opt)?
pingiun wrote 22 hours 10 min ago:
Nix uses the underlying libsandbox function for builds:
HTML [1]: https://github.com/NixOS/nix/blob/614072adcb56202f0a09532971...
woodruffw wrote 22 hours 30 min ago:
Homebrew uses sandbox-exec during builds and installs, yeah. To my
memory weâve used it for at least 6 or 7 years, probably longer.
cwicklein wrote 23 hours 44 min ago:
Iâve written a personal system in Common Lisp for building
third-party software on macOS (coincidentally somewhat similar to
GUIX), and I use sandbox-exec to isolate execution so that only
intended requisites affect the build process and so that installation
is strictly confined to the configured destination directory, no
scribbling outside the lines.
I think Bazel uses sandbox-exec on macOS.
davidcann wrote 23 hours 56 min ago:
I made a UI for this to run terminal apps, like claude and codex:
HTML [1]: https://multitui.com
ithkuil wrote 22 hours 58 min ago:
Which terminal do you embed?
Tiberium wrote 23 hours 9 min ago:
Codex already uses sandbox-exec on macOS :)
kilroy123 wrote 23 hours 16 min ago:
Wow, this looks very nice.
hmokiguess wrote 23 hours 26 min ago:
Iâm impressed really neat work! Why did you opt for closed source?
edit: I donât have a problem with closed source, but when software
is expected to be accountable for my security I get a little
paranoid, so was curious about the safety and guarantees here. The UX
and everything else looks great
e1g wrote 23 hours 38 min ago:
I like this! I built something similar for sandboxing CLI agents, and
in the repo have a collection of minimal profiles for sandbox-exec to
use -
HTML [1]: https://agent-safehouse.dev/
chmaynard wrote 1 day ago:
Nice write-up! This is one component of a much larger umbrella
framework for security on Apple platforms:
HTML [1]: https://developer.apple.com/documentation/security
CGamesPlay wrote 1 day ago:
Thanks for putting this together, it's very helpful.
Readers may also be interested in < [1] > which was open sourced after
a recent HN conversation < [2] >.
HTML [1]: https://github.com/eugene1g/agent-safehouse
HTML [2]: https://news.ycombinator.com/item?id=46923436
DIR <- back to front page