tl;dr : I didn’t find any project doing this, so I’ve created my own: https://github.com/touilleMan/agent-as-unix-user (this is not some vibecoded slope, look at my Github account if you want some street cred 😛) full version UNIX has been designed from the ground up to allow multiple users to securely share a single machine (remember the time when a terminal was a physical thing that multiple users used to connect to a single mainframe? Yeah, me neither). More recently, Android uses a similar technique to isolate applications by having a dedicated user for each one of them. So why not do the same for agentic coding? Enter agent-as-unix-user , a simple wrapper around standard UNIX commands to easily: Creates a dedicated UNIX user Give access to certain folders in read-only or read&write mode Undo all of this if needed ;-) Run claude --dangerously-skip-permissions a command as the UNIX user ;-p Of course, this solution has tradeoffs, but it offers a surprisingly high bang for the buck: Pros: Unlike containers and VMs, there’s no need to eat gigabytes of disk or deal with manual start/stop. Strong isolation: you can run your agent in full yolo mode knowing it can only break its own home directory. Simple to understand: this CLI only wraps standard shell commands, and print them before execution so you understand exactly what is going on. Simple to reason about: the agent can only modify its home and cannot read your home. From there you can easily give it access (in read-only or read-write) to some specific folders in your home. Can be extended using the regular UNIX ecosystem. Cons: Requires root access to create the agent user (this is done once; after that root is not needed to run a command as the agent) No network filtering out-of-the-box (e.g. a rogue agent could scan your local network to mess with your printer :/). However this can be easily added using an HTTP proxy). Tricky to share the commands you installed in your home (i.e. basically everything you installed with curl https://someapp.com/install.sh | bash ). Note this is a user experience con (as it means reinstalling your tools for the agent user), but also a security pro since otherwise a malicious agent could escape the sandbox by just modifying a shared tool and waiting for you to run it… (aaand this post has been 100% written by a real human) submitted by /u/touilleMan
Originally posted by u/touilleMan on r/ClaudeCode
You must log in or # to comment.