Running Claude Code dangerously (safely)

Posted by emilburzo 15 hours ago

Running Claude Code dangerously (safely)(blog.emilburzo.com)

288 points | 233 commentspage 5

fwystup 12 hours ago|

I'm currently building a Docker dev environment for VSCode (github.com/dg1001/xaresaicoder) usable in a browser and hit the same issue. Without docker-in-docker it works well - I even was able to add transparent proxy in the Docker network to restrict outbound traffic and log all LLM calls (pretty nice in order to document your project). For docker-in-docker development and better security isolation, I'm considering Kata Containers instead of Vagrant. Which gives me real VM-level isolation with minimum perf overhead, while still be able to use my docker stuff. Still on my TODO list though. Has anyone actually run Kata with vs code server? Curious about real-world quirks - I've read that storage snapshot performance can be rough.

bstar77 11 hours ago||

I have been running dangerously, but I always make sure to start a new session, have claude read the docs (I have already generated) related to the project in question, and then scope the work to just those things in the current sandbox. It can technically go outside of the sandbox in this mode, but I've never had it happen.

IMO, if you are not running in the dangerous mode then you are really missing out on one of the best aspects of claude code- its ability to iterate. If you have to confirm each iteration then it's just not practical.

sandGorgon 13 hours ago||

Or...use wsl2 in windows. does the same thing - much much faster.

Windows is the best (sandboxed) linux

strickjb9 13 hours ago||

Real question - are you not worried about access to /mnt/c ?

kachapopopow 12 hours ago||

sudo chmod 700 /mnt/

sudo chmod $UID /mnt/<project_path>

...done?

guluarte 10 hours ago||

tools inside wsl have full control of the windows filesystem

odie5533 11 hours ago||

I use Development containers (dev-containers) as demonstrated by Claude Code's docs https://code.claude.com/docs/en/devcontainer

It all integrates nicely with VS Code. It has a firewall script and you spin up your database within the docker compose file so it has full access to a postgres instance. I can share my full setup if anyone needs it.

thenaturalist 10 hours ago|

This would be lovely and much appreciated!

Devcontainers look perfect but also like a bit of a burden to entry with regards to setup.

FourSigma 13 hours ago||

I've been exploring this space. There are some use cases where I'd love to run an isolated Claude agent asynchronously. I think running Docker in rootless mode might solve some of the OP's concerns—I believe Podman does this implicitly. Also, there are tools like Kaniko that does not need Docker to create container images. You can also try changing the underlying container runtime to something like gVisor if you want more security.

Does anybody have experience using microVMs (Firecracker, Kata Containers, etc.) for this use case? Would love to hear your thoughts.

fwystup 10 hours ago|

Posted almost at the same time about Kata. I'm trying to use Kata as replacement for the standard docker runtime (since I already have a tool based on docker).

The idea is to simply use the runtime flag (after kata install):

docker run -d --runtime=kata -p 8080:8080 codercom/code-server:latest

Hope this works, with this I could keep my existing docker setup.

CGMthrowaway 5 hours ago||

What is the equivalent of this, for Claude Cowork? Can anyone point me to a guide on how to safely use that?

rando77 9 hours ago||

I'm interested in capability based software, with tools to identify the lethal trifecta.

This seems like a very hard problem with coding specifically as you want unsafe content (web searches) to be able to impact sensitive things (code).

I'd love to find people to talk to about this stuff.

tradziej 14 hours ago||

https://github.com/mensfeld/code-on-incus - check out this project

Strongbad536 12 hours ago||

i've low-key been running claude in dangerously skip permissions mode for at least like 4 months now and have yet to be bitten by a truly destructive action. YMMV but i think as long as you're guiding/prompting correctly, and don't just allow write access to your prod account DBs willy nilly, it's mostly fine. just keep an eye on it :shrug:

anp 11 hours ago||

This has mostly been my experience as well although I don’t tend to run yolo mode outside of an isolated VM (I’m setting them up manually still, need to try vagrant for it). That said, it seems like some of the people who are more concerned about isolation are working with more untrusted inputs than I’ve been dealing with on my projects. It’s rare for me to ask an agent to e.g. read text from a random webpage that could bring its own prompt injection, but there are a lot of things one might ask an agent to do that risk exposure to “attack text”.

nonethewiser 12 hours ago||

Also something to note, this mode simply adds a new mode alongside accept edits, plan, nothing, dangerously skip permissions. You can choose when to use it or not, which is not something I initially realized.

yodon 11 hours ago|

Is anyone running Claude in a GitHub Codespace container?

There was this HN post[0] last week on a tool for automatically shutting down the codespace container when idle.

[0]https://github.com/wandb/catnip

More comments...