alt Hacker NewsMainly: true sandbox separation. I don't want the model having full access to my machine. With a dump format that Claude understands, I'm able to pass only the files I want Claude to see, and he can't break any of them. I don't care about setting up access lists and so on. I don't trust that the cli product will be properly sanboxed and it's quite clear their software offerings are largely aigen code, and I catch bugs from Claude every day. I also get useful stuff, so it's worth it, but definitely not worth it, imo, to grant it any access to my machine.
Replies
The cli works on regular sandboxes just fine (podman, docker, bwrap, etc).
Sandboxing a GUI is typically more operational overhead than sandboxing a cli (mounting compositor sockets, GPU access, etc).
I've been using jai [1] for sandboxing on linux (although I use opencode and local models and not claude code) and I'm pretty satisfied with it. It comes in three different modes [2]: casual mode, strict mode, and bare mode. Here's some descriptions of each mode:
Casual mode [3]: > Your home directory is mounted as a copy-on-write overlay. The jailed process sees your real files, but writes go to $HOME/.jai/default.changes instead of modifying originals, except in the directory where you ran jai. Your current working directory grants full read/write access to code in the jail (unless suppressed with -D). So files deleted there are really gone. /tmp and /var/tmp are private. The rest of the filesystem is read-only.
Strict mode [4]: > The process runs as the unprivileged jai system user, not as you. Home directory is an empty private directory at $HOME/.jai/<name>.home. Granted directories (via -d or cwd) are exposed with id-mapped mounts — files look like they are owned by jai inside the jail. Because the process has a different UID, it cannot read files outside your home directory that are only accessible to your user — this is where confidentiality comes from.
Bare mode [5]: > Home directory is an empty private directory, like strict mode. But the process runs as your user, not as jai. This means it cannot provide confidentiality — the process can still read any file accessible to your UID outside the home directory.
I've always ran my stuff in casual so far just so my whole computer doesn't get rimraffed :P. but I'm thinking of switching to just strict mode, but haven't really vibe coded in a while so I haven't tried it yet.
[1]: https://jai.scs.stanford.edu/
[2]: https://jai.scs.stanford.edu/modes.html
[3]: https://jai.scs.stanford.edu/modes.html#casual-mode
If you don’t trust the CLI version to be properly sandbox d, why would the desktop one be?
I made myself a very simple one from the start when I realized it can access everything on my computer https://git.jeena.net/jeena/agent-container my goal was that it would work transparently and the paths and user, etc. would be just the same as on the host but inside of a docker container.
does claude desktop actually solve this issue? I’m on mac and use docker sbx to solve this https://docs.docker.com/ai/sandboxes/get-started/
On Linux you have bubblewrap!
There are a number of utilities for this. I use jai: https://jai.scs.stanford.edu/ but also have seen nono: https://github.com/always-further/nono smolvm: https://github.com/smol-machines/smolvm zerobox https://github.com/afshinm/zerobox and matchlock https://github.com/jingkaihe/matchlock
They all have pros and cons. Pick the one that suits you best. Then you're also agent harness flexible (I use opencode).