运行克劳德代码（危险地，但安全地）

运行克劳德代码（危险地，但安全地）
Running Claude Code dangerously (safely)

原始链接: https://blog.emilburzo.com/2026/01/running-claude-code-dangerously-safely/

## 使用 Vagrant 沙箱 Claude 代码作者希望使用 Claude 代码的 `--dangerously-skip-permissions` 标志（允许其在无需确认的情况下执行命令），但担心潜在的文件系统损坏。直接执行或 Docker-in-Docker 解决方案被证明存在问题，要么牺牲隔离性，要么引入复杂性。他们重新审视了 Vagrant，这是一种用于创建可重现虚拟机环境的工具。它提供了完全的 VM 隔离、轻松重建以及共享文件夹，从而提供近乎本地的开发体验——避免了 Docker-in-Docker 的陷阱。然而，最初的 VirtualBox CPU 错误（现已解决）导致 CPU 使用率过高。修复此问题后，该设置被证明是有效的：一个安装了 Docker、Node.js 和 Claude 代码的 Ubuntu 24.04 VM。这允许 Claude 代码在 *VM 内部* 自由安装软件包、修改配置和运行容器，而不会危及宿主机系统。作者在 VM 内部授予 Claude sudo 权限，信任它“直接执行”。该设置可以防止意外损坏，但不能阻止有意的恶意活动或通过网络访问进行的数据泄露。最终，它提供了一种以最小的摩擦力利用 Claude 代码的力量，同时降低风险的方法，并依赖 git 进行版本控制和轻松重置 VM。

## 安全运行 Claude 代码：摘要最近 Hacker News 上出现了一场关于安全使用“危险宽松”的 Claude 代码 AI 的讨论。多位用户报告称，他们成功地在专用隔离环境中运行 Claude，以便为编码任务提供不受限制的访问权限。流行的做法包括在 Proxmox 虚拟机中运行 Claude，利用 Shellbox.dev 和 exe.dev 等服务（它们提供具有简单回滚功能的沙盒机器），以及利用 Vagrant 实现简单的每项目一个虚拟机设置。一个关键策略是为 Claude 提供一个专门的目录用于所有工作，从而最大限度地降低不必要的系统范围更改的风险。用户强调完全系统访问的好处——允许 Claude 安装软件包和运行容器而无需持续的用户干预——与限制权限相比。虽然有些人建议以有限用户身份运行 Claude，但另一些人则优先在受控环境中授予更广泛的访问权限。像 Syncthing 这样的同步工具以及谨慎使用同步文件夹（并使用 Git 等版本控制）也被推荐用于管理代码和维护安全的工作流程。

原文

I’ve been using Claude Code more and more recently. At some point I realized that rather than do something else until it finishes, I would constantly check on it to see if it was asking for yet another permission, which felt like it was missing the point of having an agent do stuff. So I wanted to use Claude Code with the --dangerously-skip-permissions flag.

If you haven’t used it, this flag does exactly what it says: it lets Claude Code do whatever it wants without asking permission first. No more “May I install this package?”, “Should I modify this config?”, “Can I delete these files?”

It just… does it.

Which is great for flow since I don’t have to worry that it stopped doing stuff just to ask a permission question.

But also, you know, dangerous.

I like my filesystem intact, so the obvious solution is to not run this thing directly on my OS account.

Docker

First instinct: throw it in a Docker container. Containers are for isolation, right?

Except I want Claude to be able to build Docker images. And run containers. And maybe orchestrate some stuff.

So now you need Docker-in-Docker, which means --privileged mode, which defeats the entire purpose of sandboxing. That means trading “Claude might mess up my filesystem” for “Claude has root-level access to my container runtime.”

Not great.

There’s also the nested networking weirdness, volume mounting permissions that make you question your life choices, and the general feeling that you’re fighting the tool instead of using it.

Other options

I also briefly considered:

#yolo run it bare metal: no, no and no
sandbox-runtime: more of an ACL approach, I want Claude to be able to do anything, because it doesn’t have access to anything except the code
firejail or similar: same problem as Docker-in-Docker
manual VM setup: works but tedious, not reproducible
cloud VM: costs money, has latency, need to upload my code somewhere

Then I remembered about a project that I’ve used before Docker became all the rage: Vagrant.

If you weren’t around back then, Vagrant gives you proper VM isolation with a reproducible config file. It’s basically infrastructure as code for your local dev environment.

You get:

full VM isolation (no shared kernel)
easy to nuke and rebuild
shared folders that make it feel local enough
no Docker-in-Docker nonsense

I hadn’t used VirtualBox in years since Docker containers covered all requirements until now, so I grabbed the latest version (7.2.4) and got started.

First vagrant up and… the VM is pegging my CPU at 100%+ while completely idle.

I spent an hour turning off various VM features, tweaking settings, ~~googling~~ asking LLMs random combinations of “virtualbox high cpu idle”, you know, the usual.

Eventually I found this GitHub issue. VirtualBox 7.2.4 shipped with a regression that causes high CPU usage on idle guests. What are the odds.

Vagrantfile

Here’s what my simple Vagrantfile looks like:

vm_name = File.basename(Dir.getwd)

Vagrant.configure("2") do |config|
  config.vm.box = "bento/ubuntu-24.04"

  #config.vm.network "forwarded_port", guest: 3000, host: 3000, auto_correct: true
  config.vm.synced_folder ".", "/agent-workspace", type: "virtualbox"

  config.vm.provider "virtualbox" do |vb|
    vb.memory = "4096"
    vb.cpus = 2
    vb.gui = false
    vb.name = vm_name
    vb.customize ["modifyvm", :id, "--audio", "none"]
    vb.customize ["modifyvm", :id, "--usb", "off"]
  end
  
  config.vm.provision "shell", inline: <<-SHELL
    export DEBIAN_FRONTEND=noninteractive

    apt-get update
    apt-get install -y docker.io nodejs npm git unzip
    npm install -g @anthropic-ai/claude-code --no-audit

    usermod -aG docker vagrant
    chown -R vagrant:vagrant /agent-workspace

  SHELL
end

Now I just run:

cd ~/my-project
vagrant up
vagrant ssh
claude-code --dangerously-skip-permissions
# tell Claude what you want and let it run wild with no babysitting

First boot takes a few minutes to provision everything, and you need to sign in to Claude once for each project, but after that, vagrant up is quite fast.

Then, when you are done for the day:

So, what can Claude do with these newfound powers?

Since it’s running in a VM, I also gave it sudo access and instructed it that it has the power to do anything: install system packages, modify configs, create files, run Docker containers, whatever.

It has:

manually started a webapp API and inspected it with curl requests
installed a browser and manually inspected the app, then built end-to-end tests based on that
setup a postgres database, ran test sql, tested that db migrations work, etc
built and ran Docker images

All things I’d be nervous about on my host machine, especially with the “just do it” flag enabled.

And now I feel Claude is much more effective since it has the extra context, it’s not relying on me to run the command, return the output or error message, and then iterate. It just does it by itself.

Claude Code isn’t exactly a resource hog, and the VM has plenty of headroom. The shared folder sync works fine, no lag or weirdness when files change. This is under Linux with VirtualBox, YMMV for other platforms.

What you’re protecting against:

accidental filesystem damage
aggressive package installations
configuration changes you didn’t catch
general “oops I didn’t mean Claude to do that”

What you’re NOT protecting against:

deleting the actual project, since the file sync is two-way
a malicious AI trying to escape the VM (VM escape vulnerabilities exist, but they’re rare and require deliberate exploitation)
network-level attacks/oopsies from the VM
data exfiltration: the VM still has internet access, but besides the code there shouldn’t really be any data to exfiltrate

Threat model: I don’t trust myself to always catch what the agent is doing when I’m in the zone and just want stuff to work. This setup is about preventing accidents, not sophisticated attacks.

Since all my projects are in git I don’t care if it messes something up in the project. Plus you get the benefit of being able to use your regular git tooling/flows/whatever, without having to add credentials to the VM.

But if you need something stricter, config.vm.synced_folder also supports type: "rsync", one-time one-way sync from the machine running to the machine being started by Vagrant, but then it’s on you to sync it back or whatever is needed.

This took a bit to get right, mostly because of the VirtualBox CPU bug. But now it’s frictionless. I can let Claude Code do whatever it wants without fear, and if something goes sideways, I just nuke the VM and start fresh.

The Vagrantfile is short and reproducible. Drop it in any project directory, vagrant up, and you’re sandboxed.

If you’re using Claude Code with the dangerous flag, I’d recommend something like this. Even if you’re careful about what you approve, it only takes one moment to mess things up.