https://illuminatedcomputing.com/ 2026-06-12T00:00:00Z Paul A. Jungwirth https://illuminatedcommputing.com/ tag:illuminatedcomputing.com,2026-06-12:/posts/2026/06/my-claude-code-setup/ 2026-06-12T00:00:00Z 2026-06-12T00:00:00Z <p>I seem to have an unusual way of running Claude Code, but I find it a good trade-off between convenience and security.</p> <p>I was explaining it <a href="https://news.ycombinator.com/item?id=48500852">on HN</a>, but I wanted to write it down here too:</p> <p>I always run with <code>--dangerously-skip-permissions</code> (or whatever it’s called; there’s a global flag I set a long time ago). I assume everyone does. It’s too tedious otherwise. But how can I do that with tolerable risk?</p> <p>In fact in <em>any</em> mode, I wouldn’t want to run Claude without restrictions. My account has AWS creds, k8s creds, ssh keys, Github access, <code>.env</code> files from dozens of customers with who-knows-what. . . . I can run <code>sudo</code> and <code>pass</code> unchallenged, if I recently gave the password. There are scripts in <code>~/bin</code> to join VPNs and log in to databases. My browser is signed in everywhere. Thunderbird can send/receive email. And even if Claude never forgets a boundary, aren’t I sending Anthropic at least the <code>.env</code> files?</p> <p>So my solution was to give Claude its own OS user.</p> <p>People say the LLM is like another co-worker, so I’m treating it that way. He has similar dotfiles to mine, but no secrets. My own home directory is 0700. He has his own ssh key that I added to my github profile, but it’s password-protected, and I push/pull for him. He has his own Postgres (non-superuser!) {development,test} {users,databases}. If he needs something run with sudo, he asks me. Often we can both work on something in parallel. I’m on Debian 13 with xfce, but I think this would work well elsewhere. Unix was supposed to be a multi-user system after all.</p> <p>When I want Claude to do something, I open another terminal tab and <code>su</code> to his account. He has a <code>~/src</code> folder for projects, just like me. I go to one of those and start a tmux session. His <code>~/.tmux.conf</code> gives every session a yellow status bar, so they’re easy to recognize. Then new shells are just <code>Ctrl-a c</code>.</p> <p>Usually I keep the first tmux window in bash, so I can push/pull, read commits/diffs, run extra tests, and do whatever else. I run the claude session in the second window. If I need to do more things, I start more windows. Frequently window 3 is psql. More for vim, etc. (I’m speaking of <em>tmux’s</em> windows here.)</p> <p>A trick I use a lot is that many of his git repos have an extra remote, like this:</p> <pre><code>paul ssh://paul@localhost/~/src/example (fetch) paul ssh://paul@localhost/~/src/example (push)</code></pre> <p>That makes it easy to collaborate on things I’m not ready to share. I also set up a <code style="white-space:nowrap">/pub/paul</code> folder where I can put non-repo things outside of <code>~paul</code>, but I’ve hardly used it.</p> <p>I like that I’m not mucking with VMs. Everything is on the host. Everything is set up once. Claude’s environment is as comfortable as mine. And some of Claude’s assignments require <em>him</em> running VMs, so there is no extra nesting.</p> <p>I’ve been using this setup for months, and I really like it.</p> <p>I do worry about Linux privilege escalation bugs. I don’t trust an AI to understand that exploiting vulns is not acceptable. (I can’t help but recall that at my first job I may have misused vim’s <code>:!</code> feature to broaden my sudo powers, which were officially limited to editing <code>httpd.conf</code>, when I needed something in a hurry. . . .) I find myself manually upgrading packages more often these days, despite automatic security updates. I don’t think Opus would go to the trouble of looking up security vulns, but maybe Fable would, and there have been a lot lately. Maybe some future model will just take it upon itself to find new ones. Or install a keylogger to learn the ssh key password. I’m sure they would be polite about it.</p> <p>Would a VM be more secure? I don’t have an intuition there. There are hypervisor escape vulns too, and I’m anxious about shared folders. For instance in vagrant the guest gets <code>/vagrant</code> to read/write the host folder. You’d have to be very careful what you put where.</p> <p>Come to think of it, since the guest can edit <code>/vagrant/Vagrantfile</code> and reboot, it must not be very confined, right? At minimum it can leave a surprise there for the next time you run a vagrant command.</p> <p>The biggest annoyance so far is running docker containers. I don’t want to add <code>claude</code> to the <code>docker</code> group or give it sudo privileges. I’ve read that you can set up rootless docker for a user, and even that you can run it side-by-side with a normal system-wide docker, but I haven’t tried doing that yet. If that doesn’t work, I will probably give Claude his own machine. I have plenty of spare boxes/laptops lying around.</p> <p>What do you think? Are there security problems with my approach? I think it’s a good way to be efficient but responsible.</p>