| ▲ | AnotherGoodName 12 hours ago |
| Add this to .claude/settings.json: {
"sandbox": {
"enabled": true,
"filesystem": {
"allowRead": ["."],
"denyRead": ["~/"],
"allowWrite": ["."],
"denyWrite": ["/"]
}
}
}
You can change the read part if you're ok with it reading outside. This feature was only added 10 days ago fwiw but it's great and pretty much this. |
|
| ▲ | mazieres 10 hours ago | parent | next [-] |
| I've seen claude get confused about what directory it's in. And of course I've seen claude run rm -rf *. Fortunately not both at the same time for me, but not hard to imagine. The claude sandbox is a good idea, but to be effective it would need to be implemented at a very low level and enforced on all programs that claude launches. Also, claude itself is an enormous program that is mostly developed by AI. So to have a small <3000-line human-implemented program as another layer of defense offers meaningful additional protection. |
| |
| ▲ | giancarlostoro 9 hours ago | parent | next [-] | | In my opinion Claude should be shipped by a custom implementation of "rm" that Anthropic can add guardrails to. Same with "find" surprised they don't just embed ripgrep (what VS Code does). It's really surprising they don't just tweak what Claude uses and lock it down to where it cannot be harmful. Ensure it only ever calls tooling Claude Code provides. | | |
| ▲ | nananana9 2 hours ago | parent | next [-] | | Oh, rm failed, since we're running in a weird environment! Let me retry with `bash -c "/usr/bin/rm -rf *"`! | |
| ▲ | throwaway2027 5 hours ago | parent | prev | next [-] | | All of which is useless when it just starts using big blocks of python instead. You need filesystem sandboxing for the python interpreter too. | | |
| ▲ | ethanwillis 5 hours ago | parent [-] | | What we need is a capabilities based security system. It could write all the python, asm, whatever it wants and it wouldn't matter at all if it was never given a reference to use something it shouldn't. | | |
| ▲ | mcv 5 hours ago | parent | next [-] | | Isn't this already possible? Give it its own user account with write access to the project directory and either read access or no access outside it. | | |
| ▲ | 100721 2 hours ago | parent [-] | | I have been putting my agents on their own, restricted OS-level user accounts for a while. It works really well for everything I do. Admittedly, there’s a little more friction and agent confusion sometimes with this setup, but it’s worth the benefit of having zero worries about permissions and security. | | |
| ▲ | jmogly an hour ago | parent [-] | | Haha, you can already see wheel reinventors in this thread starting to spin their reinvention wheels. Nice stuff, I run my agents in containers. |
|
| |
| ▲ | rienbdj 32 minutes ago | parent | prev [-] | | Docker is enough in practice no? |
|
| |
| ▲ | lxgr 3 hours ago | parent | prev | next [-] | | > a custom implementation of "rm" that Anthropic can add guardrails to Wrong layer. You want the deletion to actually be impossible from a privilege perspective, not be made practically harder to the entity that shouldn't delete something. Claude definitely knows how to reimplement `rm`. | |
| ▲ | torginus an hour ago | parent | prev | next [-] | | Why cant you ship with OverlayFS which actually enforces these restrictions? I have seen the AI break out of (my admittedly flimsy) guards, like doing simply safepath/../../stuff or something even more convoluted like symlinks. | |
| ▲ | eru 7 hours ago | parent | prev | next [-] | | > It's really surprising they don't just tweak what Claude uses and lock it down to where it cannot be harmful. Ensure it only ever calls tooling Claude Code provides. That would make it far less useful in general. | | |
| ▲ | KronisLV 5 hours ago | parent [-] | | Maybe Anthropic (or some collection of the large AI orgs, like OpenAI and Anthropic and Google coming together) should apply patches on top of (or fork altogether) the coreutils and whatever you normally get in a userland - a bit like what you get in Git Bash on Windows, just with: 1) more guardrails in place 2) maybe more useful error messages that would help LLMs 3) no friction with needing to get any patches upstreamed External tool calling should still be an option ofc, but having utilities that are usable just like what's in the training data, but with more security guarantees and more useful output that makes what's going on immediately obvious would be great. | | |
| ▲ | eru 5 hours ago | parent [-] | | So for me, it's really, really useful for Claude to be able to send Slack messages and emails or make pull requests. But that's also the most damaging actions it could take. Everything on my computer is backed up, but if Claude insults my boss, that would be worse. | | |
| ▲ | KronisLV 2 hours ago | parent [-] | | > So for me, it's really, really useful for Claude to be able to send Slack messages and emails or make pull requests. Oh, I'm totally not arguing for cutting off other capabilities, I like tool use and find it to be as useful as the next person! Just that the shell tools that will see A LOT of usage have additional guardrails added on top of them, because it's inevitable that sooner or later any given LLM will screw up and pipe the wrong thing in the wrong command - since you already hear horror stories about devs whose entire machines get wiped. Not everyone has proper backups (even though they totally should)! |
|
|
| |
| ▲ | walthamstow 6 hours ago | parent | prev | next [-] | | Claude has told me that its Grep tool does use rg under the hood, but I constantly find it using the Bash tool with grep | |
| ▲ | oefrha 8 hours ago | parent | prev | next [-] | | You can define your own rm shell alias/function and it will use that. I also have cp/mv aliases that forces -i to avoid accidental clobbering and it confuses Claude to no end (it uses cp/mv rare enough—rarer than it should, really—that I don’t bother wasting memory tokens on it). | | |
| ▲ | d1sxeyes 7 hours ago | parent [-] | | I did this, Claude detected it and decided to run /bin/rm directly. | | |
| ▲ | cogogo 3 hours ago | parent | next [-] | | This is terrifying. I have not used agents because I do not have a sandbox machine I do not care about. Am I crazy to worry about a sandboxed agent running on my home network? Anyone experienced anything weird by doing that? | | |
| ▲ | oefrha 3 hours ago | parent [-] | | Don’t dangerously skip permissions and actually read commands when you get prompted and you’re fine. | | |
| ▲ | d1sxeyes 3 hours ago | parent [-] | | Yeah, I actually have both an alias for `rm` and a custom seatbelt sandbox which means the agent can only delete stuff within the directory it’s working in, so wasn’t an issue, was just fun to watch it say “hm, that doesn’t seem to work. Looks like the user has aliased rm. I’ll just go ahead and work around it” |
|
| |
| ▲ | cestivan 7 hours ago | parent | prev [-] | | [dead] |
|
| |
| ▲ | troupo 5 hours ago | parent | prev [-] | | > Claude should be shipped by a custom implementation of And when that fails for some reason it will happily write and execute a Python script bypassing all those custom tools |
| |
| ▲ | mroche 4 hours ago | parent | prev | next [-] | | > The claude sandbox is a good idea, but to be effective it would need to be implemented at a very low level and enforced on all programs that claude launches. I feel like an integration with bubblewrap, the sandboxing tech behind Flatpak, could be useful here. Have all executed commands wrapped with a BW context to prevent and constrain access. https://github.com/containers/bubblewrap | | |
| ▲ | r4indeer 4 hours ago | parent [-] | | Bubblewrap is exactly what the Claude sandbox uses. > These restrictions are enforced at the OS level (Seatbelt on macOS, bubblewrap on Linux), so they apply to all subprocess commands, including tools like kubectl, terraform, and npm, not just Claude’s file tools. https://code.claude.com/docs/en/sandboxing | | |
| |
| ▲ | PaulDavisThe1st 10 hours ago | parent | prev | next [-] | | On Linux, chroot(2) is hard to escape and would apply to all child processes without modification. | | |
| ▲ | safety1st 6 hours ago | parent | next [-] | | We anthropomorphize these agents in every other way. Why aren't we using plain ol' unix user accounts to sandbox them? They look a lot like daemons to me, they're a program that you want hanging around ready to respond, and maybe act autonomously through cron jobs are similar. You want to assign any number of permissions to them, you don't want them to have access to root or necessarily any of your personal files. It seems like the permissions model broadly aligns with how we already handle a lot of server software (and potentially malicious people) on unix-based OSes. It is a battle-tested approach that the agent is unlikely to be able to "hack" its way out of. I mean we're not really seeing them go out onto the Internet and research new Linux CVEs. Have them clone their own repos in their own home directory too, and let them party. Openclaw almost gets there! It exposes a "gateway" which sure looks like a daemon to me. But then for some reason they want it to live under your user account with all your privileges and in a subfolder of your $HOME. | | |
| ▲ | lxgr 3 hours ago | parent | next [-] | | > for some reason they want it to live under your user account The entire idea of Openclaw (i.e., the core point of what distinguishes it from agents like Claude Code) is to give it access to your personal data, so it can act as your assistant. If you only need a coding agent, Openclaw is the completely wrong tool. (As a side note, after using it for a few weeks, I'm not convinced it's the right tool for anything, but that's a different story.) | |
| ▲ | jon-wood 5 hours ago | parent | prev | next [-] | | Oh that’s an idea. I was going to argue that it’s a problem that you might want multiple instances in different contexts but sandboxing processes (possibly instanced) is exactly what systemd units are designed to deal with. | |
| ▲ | search_facility 6 hours ago | parent | prev [-] | | Exactly! |
| |
| ▲ | shakna 10 hours ago | parent | prev [-] | | chroot is not a security sandbox. It is not a jail. Escaping it is something that does not take too much effort. If you have ptrace, you can escape without privileges. | | |
| ▲ | brianush1 10 hours ago | parent [-] | | claude is stupid but not malicious; chroot is sufficient | | |
| ▲ | furyofantares 9 hours ago | parent | next [-] | | I've many times seen Claude try to execute a command that it's not supposed to, the harness prevents it, and then it writes and executes a python script to do it. | | | |
| ▲ | nofriend 10 hours ago | parent | prev | next [-] | | Malice is not required. If it thinks it is in the right, then it will do whatever it takes to get around limitations. | |
| ▲ | lxgr 3 hours ago | parent | prev | next [-] | | Until it gets prompt injected. Are you reading every single file your agent reads as part of the tasks you give it, including content fetched from the web or third-party packages? | |
| ▲ | karhagba 10 hours ago | parent | prev [-] | | Claude is far from stupid from my experience.
I've used so many models and Claude is king. |
|
|
| |
| ▲ | esperent 10 hours ago | parent | prev | next [-] | | I added a hook to disable rm, find - delete, and a few of the other more obvious destructive ops. It sends Claude a strongly worded message: "STOP IMMEDIATELY. DO NOT TRY TO FIND WORKAROUNDS...". It works well. Git rm is still allowed. | | |
| ▲ | Diti 8 hours ago | parent | next [-] | | I added something similar. Claude eventually ran a `rm -rf *´ on my own project. When I asked why it did that, it recognized it messed up and offered a very bad “apology”: “the irony of not following your safety instructions isn’t lost on me”. Nowadays I only run Claude in Plan mode, so it doesn’t ask me for permissions any more. | |
| ▲ | lxgr 3 hours ago | parent | prev [-] | | It works well so far, for you. Are you confident it would still work against sophisticated prompt injection attacks that override your "strongly worded message"? Strongly worded signs can be great for safety (actual mechanisms preventing undesirable actions from being taken are still much better), but are essentially meaningless for security. | | |
| ▲ | esperent 2 hours ago | parent [-] | | I mean, that's like saying are you sure that your antivirus would prevent every possible virus? Are you sure that you haven't made some mistake in your dev box setup that would allow a hacker to compromise it? What if a thief broke i to your house and stole your laptop? That's happened to me before, much more annoying to recover from that an accidental rm rf. I do my best to keep off site back ups and don't worry about what I can't control. | | |
| ▲ | lxgr an hour ago | parent [-] | | > I mean, that's like saying are you sure that your antivirus would prevent every possible virus? Yes, I'm saying it's pretty much as bad as antivirus software. > Are you sure that you haven't made some mistake in your dev box setup that would allow a hacker to compromise it? Different category of error: Heuristically derived deterministic protection vs. protection based on a stochastic process. > much more annoying to recover from that an accidental rm rf. My point is that it's a different category, not that one is on average worse than the other. You don't want your security to just stand against the median attacker. |
|
|
| |
| ▲ | thehours 6 hours ago | parent | prev | next [-] | | I added this to `~/.claude/settings.json`: "env": { "CLAUDE_BASH_MAINTAIN_PROJECT_WORKING_DIR": "1"
}, > Working directory persists across commands. Set CLAUDE_BASH_MAINTAIN_PROJECT_WORKING_DIR=1 to reset to the project directory after each command. It reduces one problem - getting lost - but it trades it off for more complex commands on average since it has to specify the full path and/or `cd &&` most of the time. [0] https://code.claude.com/docs/en/tools-reference#bash-tool-be... | |
| ▲ | digikata 3 hours ago | parent | prev | next [-] | | One could run a docker container with claude code, with a bind to the project directory. I do that but also run my docker daemon/container in a Linux VM. | |
| ▲ | martenlienen 7 hours ago | parent | prev | next [-] | | That is exactly what it is. In the docs, it says that they use bubblewrap to run commands in a container that enforces file and network access at the system level. | |
| ▲ | marsven_422 8 hours ago | parent | prev | next [-] | | [dead] | |
| ▲ | 3yr-i-frew-up 4 hours ago | parent | prev [-] | | [dead] |
|
|
| ▲ | RALaBarge 10 minutes ago | parent | prev | next [-] |
| You do also have to worry about exec and other neat ways to probably get around stuff. You could also spin up YAD (yet another docker) and run Claude in there with your git cloned into it and beyond some state-level-actor escapes it should cover 99% of your most basic failures. |
|
| ▲ | harikb 12 hours ago | parent | prev | next [-] |
| I think the point would be that - some random upcoming revision of claude-code could remove or simply change the config name just as silently as it was introduced. People might genuinely want some other software to do the sandboxing. Something other than the fox. |
|
| ▲ | varl 5 hours ago | parent | prev | next [-] |
| I've had issues with the sandbox feature, both on linux (archlinux) and two macos machines (tahoe). There is an open issue[1] on the claude-code issue tracker for it. I'm not saying it is broken for everyone, but please do verify it does work before trusting it, by instructing Claude to attempt to read from somewhere it shouldn't be allowed to. From my side, I confirmed both bubblewrap and seatbelt to work independently, but through claude-code they don't even though claude-code reports them to be active when debugging. [1] https://github.com/anthropics/claude-code/issues/32226 |
| |
|
| ▲ | mazieres 9 hours ago | parent | prev | next [-] |
| Also, a lot of people use multiple harnesses. I'm often switching between claude, codex, and opencode. It's kind of nice to have the sandbox policy independent of the actual AI assistant you are running. |
|
| ▲ | cozzyd 12 hours ago | parent | prev | next [-] |
| Is this a real sandbox or just a pretty please? |
| |
| ▲ | AnotherGoodName 12 hours ago | parent | next [-] | | https://code.claude.com/docs/en/sandboxing says they integrated bubblewrap (linux/windows), seatbelt (macos) and give an error if sandbox can't be supported so appears to be real. | | | |
| ▲ | enduser 11 hours ago | parent | prev | next [-] | | By default it will automatically retry many tool calls that fail due to the sandbox with the sandbox disabled. In other words it can and will leave the sandbox. For example: Bash(swift build 2>&1 | tail -20) ⎿ warning:
/Users/enduser/Library/org.swift.swiftpm/configuration is not accessible or not writable, disabling user-level cache
features. warning: /Users/enduser/Library/org.swift.swiftpm/security is not accessible or not writable, disabling user-level cache feat
… +26 lines (ctrl+o to expand)
Build hit sandbox restriction. Retrying outside sandbox.Bash(swift build 2>&1 | tail -20) ⎿ [35/52] Compiling MCP Resources.swift
[36/52] Emitting module MCP
[37/52] Compiling MCP Client.swift
… +17 lines (ctrl+o to expand)
⎿ (timeout 3m)
| | |
| ▲ | fc417fc802 9 hours ago | parent [-] | | What is even the point in that case? The behavior you describe is no better than if SELinux were to automatically re-execute a process with containment disabled. | | |
| ▲ | erinnh 8 hours ago | parent | next [-] | | Looking at the settings, its an option: Configure Overrides:
1. Allow unsandboxed fallback
2. Strict sandbox mode (current)
Allow unsandboxed fallback: When a command fails due to sandbox restrictions, Claude can retry with dangerouslyDisableSandbox to run outside the sandbox (falling back to
default permissions).
Strict sandbox mode: All bash commands invoked by the model must run in the sandbox unless they are explicitly listed in excludedCommands.
| |
| ▲ | ihattendorf 9 hours ago | parent | prev [-] | | The purpose of the sandbox is to reduce permission fatigue. If it fails to run a command in the sandbox and retries it outside the sandbox, the regular permission rules apply. You'll still be prompted for any non-sandboxed tool calls that you haven't allowed or denied via permission rules. |
|
| |
| ▲ | ray_v 11 hours ago | parent | prev [-] | | It seems like it's controlled by the Bash tool (https://code.claude.com/docs/en/sandboxing) and then bubblewrap (https://github.com/containers/bubblewrap) on linux and Seatbelt on mac at the system level |
|
|
| ▲ | Tepix 36 minutes ago | parent | prev | next [-] |
| Cool. Does opencode.ai have such a feature also (sandboxing with bubblewrap)? |
|
| ▲ | 8cvor6j844qw_d6 12 hours ago | parent | prev | next [-] |
| Interesting, thanks. I use remote ephemeral dev containers with isolated envs, so filesystem damage isn't really a concern as long as the PR looks good in review. Nice extra guardrail though, will add it to the project-level settings. |
| |
| ▲ | overfeed 9 hours ago | parent [-] | | i use local dev containers: the worst an agent can do is delete its working copy; no access to my home directory, access tokens or sudo. |
|
|
| ▲ | reader_1000 3 hours ago | parent | prev | next [-] |
| For some reason, this made everything worse for me. Now claude constantly tries to access my home folder instead of current directory. Obviously this is not still good enough. Also Claude keeps dismissing my instructions on not to read my home directory and use current directory. Weird. |
| |
| ▲ | cyanydeez 2 hours ago | parent [-] | | The problem with all these LLM instructed security features is the `codeword` poison probability. The way LLMs process instructions isn't intelligence as we humans know it, but as the probability that an instruction will lead to an output. When you don't mention $HOME in the context, the probability that it will do anything with $HOME remains low. However, if you mention it in the context, the probability suddenly increases. No amount of additional context will have the same probability of never having poisoned the context by mentioning it. Mentioning $HOME brings in a complete change in probabilities. These coding harnesses aren't enough to secure a safe operating environment because they inject poison context that _NO_ amount of textual context can rewire. You just lost the game. |
|
|
| ▲ | bit_logic 4 hours ago | parent | prev | next [-] |
| The default: https://code.claude.com/docs/en/sandboxing#filesystem-isolat... already restricts writes to only the current folder. I can understand adding the "denyRead" for the home folder for additional security, but the other three seems redundant considering the default behavior. |
|
| ▲ | orf 3 hours ago | parent | prev | next [-] |
| FYI, this doesn’t always work as expected. Try asking Claude to read “~/.ssh/config” with these settings and it will happily do it. Specifically, it only works for spawned processes and not builtin tools. |
|
| ▲ | gmerc 7 hours ago | parent | prev | next [-] |
| It’s cute because Claude has discretion to disable its own sandbox and does it |
| |
| ▲ | js2 7 hours ago | parent [-] | | > You can disable this escape hatch by setting "allowUnsandboxedCommands": false in your sandbox settings. When disabled, the dangerouslyDisableSandbox parameter is completely ignored and all commands must run sandboxed or be explicitly listed in excludedCommands. https://code.claude.com/docs/en/sandboxing (I have no idea why that isn't the default because otherwise the sandbox is nearly pointless and gives a false sense of security. In any case, I prefer to start Claude in a sandbox already than trust its implementation.) |
|
|
| ▲ | carderne 7 hours ago | parent | prev | next [-] |
| I’m surprised it works for you with such a simple config? I’m the one that added the allowRead option to Claude’s underlying sandbox [0] and had quite a job getting my toolchains and skills to work with it [1]. [0] Fun to see the confusing docs I wrote show up more or less verbatim on Claude’s docs. [1] My config is here, may be useful to someone: https://github.com/carderne/pi-sandbox/blob/main/sandbox.jso... |
|
| ▲ | Abishek_Muthian 6 hours ago | parent | prev | next [-] |
| It's common practice to ask the agent to refer to another project, in that case I guess the read should point to the root folder of the projects. Also, any details on how is this enforced? because I notice that the claude in Windows don't respect plan mode always; It has edited files in plan mode; I never faced that issue in Linux though. |
|
| ▲ | yu3zhou4 8 hours ago | parent | prev | next [-] |
| So in some sense we start recreating an operating system, or at least the userspace, within the Claude code. There was some name for this pattern but I can’t recall |
| |
|
| ▲ | mentalgear 4 hours ago | parent | prev | next [-] |
| I'm now considering installing QubesOS for all dev work to absolutely ensure all coding agents run in secure separate sandboxes together without any OS level exposure. |
| |
|
| ▲ | nurettin 10 hours ago | parent | prev | next [-] |
| It will just do ssh you@localhost "rm -rf ~"
|
| |
|
| ▲ | globular-toast 6 hours ago | parent | prev | next [-] |
| And you'd trust that given CC is a vibe-coded mess? Editing to go even further because, I gotta say, this is a low point for HN. Here's a post with a real security tool and the top comment is basically "nah, just trust the software to sandbox itself". I feel like IQ has taken a complete nosedive in the past year or so. I guess people are already forgetting how to think? Really sad to see. |
| |
|
| ▲ | tasn 10 hours ago | parent | prev | next [-] |
| I use bbwrap to sandbox Claude. Works very well and gives me a lot of control and certainty around the sandbox. |
|
| ▲ | andai 9 hours ago | parent | prev | next [-] |
| Does this also apply to the commands or programs that it runs? e.g. if it writes a script or program with a bug which affects other files, will this prevent it from deleting or overwriting them? What about if the user runs a program the agent wrote? |
|
| ▲ | weinzierl 7 hours ago | parent | prev | next [-] |
| Is this a hard sandbox (enforced outside the LLM)? |
|
| ▲ | mycall 12 hours ago | parent | prev | next [-] |
| I noticed codex has a sandbox, wondering if it has a comparable config section. |
| |
| ▲ | tofflos 3 hours ago | parent [-] | | Codex uses and ships with bubblewrap on Linux and will attempt to use the version installed on the path before falling back to the shipped version with a warning message. You should be able to configure the sandbox using https://developers.openai.com/codex/agent-approvals-security if you are a person who prefers the convenience of codex being able to open the sandbox over an externally enforced sandbox like jai. |
|
|
| ▲ | croes 7 hours ago | parent | prev | next [-] |
| Is that hard setting or does it depend on claude’s interpretation? The latter could end like this
https://news.ycombinator.com/item?id=47357042 |
|
| ▲ | what 10 hours ago | parent | prev | next [-] |
| lol if you think Claude is smart enough to block sneaky path strings based on your config. |
|
| ▲ | dealfinder994 6 hours ago | parent | prev [-] |
| [dead] |
