Running Claude Code dangerously (safely)

Posted by emilburzo 17 hours ago

Running Claude Code dangerously (safely)(blog.emilburzo.com)

296 points | 235 commentspage 6

jannesblobel 12 hours ago|

If your system were under version control, so that Claude could do whatever it wanted on its own branch, so to speak, would it still be such a big problem? Because you could just roll back if it really did cause problems, couldn't you?

jannesblobel 12 hours ago|

Perhaps I should add something here. It always depends on the task. Claude with SUDO access doesn't seem right to me either, but I wouldn't run that anywhere else either.

denysvitali 16 hours ago||

Here's what I do (shameless plug): https://blog.denv.it/posts/im-happy-engineer-now/

This allows you to use Claude Code from your mobile device, in a safe environment (restricted Kubernetes pod)

jeffrallen 16 hours ago|

Here's what I do (shameless plug, not an employee, just a satisfied user): https://exe.dev

denysvitali 15 hours ago||

Yes, this approach also looked nice! Maybe you can pair both (happy + exe.dev) for best results

svilen_dobrev 9 hours ago||

can't it generate a program that (generates a program that)+ does whatever? in different languages, and in increasing level of dereferencing..

industrially-making-exploits.. : https://news.ycombinator.com/item?id=46676081

letmetweakit 16 hours ago||

I run Claude in a Proxmox VM, generally the experience has been great. In my experience it also behaves better than gemini cli, that likes to create files all over the place if set loose (lesson learned to add that requirement to the relevant .md files)

vidarh 16 hours ago||

Something that contains Claude even more in this respect is if you explicitly gives it a directory that you tell it is entirely under its control, and tells it to write md files and other intermediate work products there (and this seems to work better than telling it where it isn't allowed to leave things).

onionisafruit 15 hours ago|||

That sounds like a good idea. When I have a one-off need for misc files I tell it to put them in the project’s ./tmp because that’s already in my global gitignore. That generally works, but I still run into surprise files it leaves in source dirs like a puppy leaves turds on a rug. I’ll try adding that to my instructions instead of doing it one-off.

jermaustin1 15 hours ago|||

I've often found that LLMs don't listen to "Don't do" commands with anywhere near the same gusto as "Do" commands.

NitpickLawyer 14 hours ago||

People don't usually think about pink elephants, unless you ask them not to think about pink elephants :)

chrisss395 13 hours ago|||

I too use this solution, using both Ubunutu LXCs and full-fledged VMs. Only issue I've struggled with has been losing SSH connection on the LXC, and tmux and session both seem to mess up the terminal formatting in CC.

I do agree with the security / cautionary comments and wouldn't leverage this setup outside a hacked together homelab.

emilburzo 16 hours ago|||

This was also the direction I was initially headed, but then I realized I wanted one-VM-per-project so it can really do anything it wants on the complete VM. So the blast-from-the-past-Vagrant won because of the Vagrantfile + `vagrant up` easiness.

letmetweakit 16 hours ago||

I use Proxmox snapshots to get back to a clean state. I’ll take a look at Vagrant too though.

scalemaxx 16 hours ago||

In installed Gemini as an extension in VS Code and it kept wanting to index all my files. Still trying to figure out what it was doing outside of the VS Code folder I had set it to work on.

skybrian 16 hours ago||

I'm doing this with a remote VM on exe.dev and it's quite nice. Well, actually with their own coding agent but they have Claude Code preinstalled too.

Syncthing works well for getting a local copy of a directory from the VM.

frankc 16 hours ago||

I think this makes sense but I wonder if firecracker would work better than vagrant for this? I haven't used it before, though. I guess it might if you are trying to run gas town level orchestration.

raesene9 15 hours ago|

Firecracker can solve the kind of problems where you want more isolation than Docker provides, and it's pretty performant.

There's not a tonne of tooling for that use case now, although it's not too hard to put together I vibe-coded something that works for my use case fairly quickly (CC + Opus 4.5 seemed to understand what's needed)

tobyhinloopen 16 hours ago||

How about running Claude as a different user with very limited permissions?

gregoriol 16 hours ago||

This breaks the non-interactive mode the post want to achieve. Claude will not be able to install some things and will require user action, which is not desired here.

progval 16 hours ago||

Like what? It can already use npm/pip/etc. And if it needs a new APT package or config in /etc/ then you would want to know because you need to document it.

gregoriol 15 hours ago|||

If you make claude work with c/c++, it may need apt for libraries or build tools.

Even with npm/pip, these may not be available on a base linux box.

Even then, some complex projects may need other tools that are not part of a base system (command line tools, redis, ...).

tstrimple 7 hours ago|||

Claude Code on NixOS feels like it has super powers. Being able to spin up a nix-shell with needed dependencies on demand gives it access to all sorts of tools I don't have or want installed on my base system. My "book-recommendation" claude code uses sqlite to manage my reading history and to-read and maybe-read lists but I never installed tools for sqlite and they aren't present on my NixOS desktop. It just launches a nix-shell with sqlite anytime it needs to read/modify the database. As long as the database file is within the directory claude code was launched from, it doesn't need to prompt for permission. With the caching that NixOS does, it's fast enough to not even think about.

emilburzo 16 hours ago|||

I tried this approach for a while, but I really wanted it to be able to do anything (install system packages, build/run Docker containers, the works).

With these powers there's a lot less back-and-forth with me running commands, copying the output, pasting it to Claude, etc.

I'm sure you've had the case where you had to instruct someone to do something (e.g. playing tech support with family, helping another engineer, etc). While it helps the other person learn, it feels soooo slow vs just doing it yourself :) And since I don't have to teach the agent, I think this approach makes sense.

delaminator 16 hours ago||

I run it with sudo enabled - true story

just give it its own machine and let it check out any code

I PXE boot it from a known image when I feel the need

tobyhinloopen 16 hours ago|||

Running it remotely on a VM seems like a very sensible option. Just don't give it permission to nuke the remote repository hah (EG don't allow force-push, use protected branches, only allow write access to branches it created)

zh3 14 hours ago|||

Same solution here - keep a base diskless image on the server, copy it to the diskless area, pxeboot the machine. Works for Windows too (iscsi).

Could do the same thing on EC2 of course.

RobinL 16 hours ago||

Does anyone have direct experience with Claude making damaging mistakes in dangerously skip permissions mode? It'd be great to have a sense of what the real world risk is.

prodigycorp 15 hours ago||

Claude is very happy to wipe remote dbs, particularly if you're using something like supabase's mcp server. Sometimes it goes down rabbitholes and tries to clean itself up with `rm -rf`.

There is definitely a real world risk. You should browse the ai coding subreddits. The regularity of `rm -rf` disasters is, sadly, a great source of entertainment for me.

I once was playing around, having Claude Code (Agent A) control another instance of Claude Code (Agent B) within a tmux session using tmux's scripting. Within that session, I messed around with Agent B to make it output text that made Agent A think Agent B rm -rf'd entire codebase. It was such a stupid "prank", but seeing Agent A's frantic and worried reaction to Agent B's mistake was the loudest and only time I've laughed because of an LLM.

gregoriol 15 hours ago||

Why in the hell would it be able to access a _remote_ database?! In no acceptable dev environment would someone be able to access that.

heartbreak 15 hours ago|||

Everywhere I’ve ever worked, there was always some way to access a production system even if it required multiple approvals and short-lived credentials for something like AWS SSM. If the user has access, the agent has access, no matter how briefly.

gregoriol 14 hours ago||

Not if you require auth with a Yubikey, not if you run the LLM client inside a VM which doesn't have your private ssh key, ...

prodigycorp 15 hours ago||||

Supabase virtually encouraged it last year haha. I tried using it once and noped out after using it for an hour, when claude tried to do a bunch of migrations on prod instead of dev.

https://web.archive.org/web/20250622161053/https://supabase....

Now, there are some actual warnings. https://supabase.com/docs/guides/getting-started/mcp#securit...

kaydub 14 hours ago|||

I think LLMs are exposing how slapdash many people work when building software.

azuanrb 16 hours ago|||

One recent example. For some reason, recently Claude prefer to write scripts in root /tmp folder. I don't like this behavior at all. It's nothing destructive, but it should be out of scope by default. I notice they keep adding more safeguards which is great, eg asking for permissions, but it seems to be case by case.

giancarlostoro 15 hours ago||

If you're not using .claude/instructions.md yet, I highly recommend it, for moments like this one you can tell it where to shove scripts. Trickery with the instructions file is Claude only reads it during a new prompt, so any time you update it, or Claude "forgets" instructions, ask it to re-read it, usually does the trick for me.

mythical_39 14 hours ago||

Claude, I noticed you rm -rf my entire system. Your .instructions.md file specifically prohibits this. Please re-read your .instructions.md file and comply with it for all further work

giancarlostoro 14 hours ago||

IMHO a combination of trash CLI and a smarter shell program that prevents deleting critical paths would do it.

https://github.com/andreafrancia/trash-cli

coldtea 16 hours ago|||

At least one guy had their ~ rm -rf'ed.

https://old.reddit.com/r/ClaudeAI/comments/1pgxckk/claude_cl...

ra120271 16 hours ago|||

When approving actions "for this project" I actively monitor .claude\settings.local.json

"Bash(az resource:)",

is much more permissive than

"Bash(az resource show:)",

It mostly gets it right but I instantly fix the file with the "readonly" version when it gets it too open.

foreigner 11 hours ago|||

I caught Claude using docker (running as root) to access files on my machine it couldn't read using it's user.

kaydub 14 hours ago|||

It feels like most people are exposing how wild west their environments are.

MattGaiser 16 hours ago||

Claude has twice now thought that deleting the database is the right thing to do. It didn't matter as it was local and one created with fixtures in the Docker container (in anticipation of such a scenario), but it was an inappropriate way of handling Django migration issues.

messh 10 hours ago||

the shellbox VMs work great as sandbox for Claude-Code. It uses ssh to create and connect to the boxes -- very simple and quick to setup

check it out: https://shellbox.dev

csantini 15 hours ago|

Just create a new user and setup pip/npm to install locally.

And setup an .env for the project with user/password to access only a dev database.

More comments...