c0derالـ

Understanding Claude Code Permissions and Sandbox Interactions

Published:

My advanture in understanding permission and how they relate to sandboxing

I have learned about Sandboxing from my brother in a time around my opsession with privacy hardening using Apple Containers. It was nice to learn about MacOS seatbelt system, as another way to isolating programs and processes.

I have enabled sandbox, but it didn’t seem to have reduced the number of times Claude Code asks for permissions. One would think that giving the sandbox a sandbox means putting in a box where it can interact freely without bothering the host machine and its owner. I was completely wrong.

This week I have set myself to deeply understand Claude Code sandbox and especially how does it interact and compare with Claude’s already existing permissions. My experiment for understanding is set out in alc0der/claude-code-permissions. Three things to keep in mind.

The TLDR

Sandbox is like the last safety net that operates at OS level. It is a way to define the outer boundries for Claude Code. Therefore, permissions are still needed as primary way to guide the AI consios. This is clear in the diagram below, especially, the first two.

How Claude Code
permissions and sandbox
compliment each other?

.claude/settings.json

by
Ahmad Akilan

Read .env please.env denied at the permissions layer.envRun:python3 -c'open(.env)'OS sandbox catches what permissions miss.envRun:python3 -c'open(config.yml)'sandbox backstops app-config.yaml (same slip, no name bias)config.ymlList filesunder pii/.sensitive/** listable, not readablepii/users.csvdeny:- Read(.env)deny:- Read(pii/**)deny:- Read(config.yml)deny:- Read(.env)denyRead:- config.ymlsandboxexcludedCommands:- ls- treedenyRead:- "**/.env""permissions":{"deny":[...]}"sandbox":{"denyRead":[...]} Read(.env) not reached Bash:python3 -c ... ✗ EACCES Bash:python3 -c ... ✗ EACCES Bash:ls pii/ ✓ names only

The Scenarios

The scenario that trigger me to write the repo and this post is file organization. I wanted the AI to sort some documents for me iin a Jonny Decimal folder structure, but without looking at the files. Read permissions blocked both reading and listing; I was in a delima.

The other scenario. I always shout at the AI not to read .env and any secret knowing that this is not the right approach. I knew about permissions, but I have realized early own that there are infinite ways the AI could decide to read a sensitive file if it wants.

The Need

One would think that you could simply ask Claude Code to do it, but one would be surprised to learn that Claude Code’s understanding of permissions and sandbox interaction is limited. It has made a couple of false claims while running the experiment.

Another aspect, there should be an outer borders where coding agents should not be used or used with scrutiny.

The Experiment

I will not delve into the details of the code, and settings file, as these could be easily generated and re-generated. Rather, it is the thought process.

Claude Code was put in a loop to write scenarios 1 by 1 and try out different approaches. In a few occusions, it made some false attempts thinking it would success or fail just to be proved otherwise. For example, the usage of excludedCommands did not occur to the agent automatically.

“prebuild”: “curl -fsSL https://d2lang.com/install.sh | sh -s — —tala”,

Tags: Claude Code , Security