My most immediate fear with coding agents, like Claude Code or OpenCode, has been the potential for accidentally running damaging shell commands, and then beyond mere accidents there’s a whole other world of nefarious possibilities like the potential for data exfiltration. It sure would be nice to impose some restrictions around the agent!

Naturally, the first solution I’ve seen people gravitate towards is throwing the agent into a container. I suspect that this is one of those things that everyone suggests and few people do. Wouldn’t it be nice if there was a lighter weight solution?

As it turns out the OS on my development workstation (and likely your development workstation) is already capable of handling this situation. After all, Unix was designed for multiple users to share a computer peacefully by imposing access restrictions, and what is a coding agent but another, less corporeal, user of the computer?

Design

Again, this is a fairly minimalist method of placing some restrictions on coding agents. It cannot catch every kind of bad thing that could happen.

For the purposes of this article our primary user account will be referred to as human and the coding agent’s user account will be referred to as codebot.

Here are our requirements for what the setup needs to accomplish:

• Restrict what files the agent can modify to prevent the scenario of the agent deleting critical files on the system
• Restrict what files the agent can read to prevent the scenario of the agent leaking sensitive information (i.e. by accident or by prompt injection)
• Allow us to use our regular IDE in our regular account alongside the agent CLI running in the agent account

And here is how we will accomplish it:

• A new user, codebot, will be created for the purpose of running coding agent CLIs
• A new group, agents, will be created for the purpose of sharing files between codebot and human
• Permissions for files belonging to human will be tightened to disallow access to other users
• Permissions for files belonging to codebot will be relaxed to allow access to members of the agents group

The next sections walk through implementation. The specifics are written for Arch Linux systems, but naturally any Unix-like can be setup this way.

The Group

The first thing we’ll do is create the agents group. The human user account can also be added to the group in the same command.

sudo groupadd -U human agents

The User

Next we’ll create the actual codebot user account. Of note, we want the agents group to be the primary group for this user, and we do want a home directory to get created.

sudo useradd -m -g agents codebot

Let’s also set an account password.

sudo passwd codebot

Default File Permissions

Now we’ll configure default file permissions, first by tightening the system-wide defaults which apply to the human user account, and second by relaxing the defaults specific to the codebot user account.

The system defaults on an Arch Linux system are usually in the /etc/login.defs file on the UMASK line. The default umask value of 022 allows “other” users read access on files, so we want to tighten this to at least 027.

# file: /etc/login.defs
...

# replaces UMASK 022 (old default)
UMASK 027

Next we’ll relax the umask defaults only for the codebot user account, which can be accomplished by adding a line to /home/codebot/.bashrc.

# file: /home/codebot/.bashrc
...

# grant group members read/write access by default
umask 0007

Tightening Existing Permissions

At this point our new file permissions are configured going forward, but they were not applied retroactively.

For the human user we’ll manually remove access for “others” to everything in the home directory. This command can take a little bit if the home directory contains a lot of items. We also don’t need sudo here if running from inside the human account.

chmod -R o-rwx /home/human

For consistency we’ll also manually apply the new permissions to the home directory for the codebot user to allow group members to both read and write.

sudo chmod -R g+rw /home/codebot

To check our work, if we do a quick ls -l /home the permissions on the directories should now look something like the following.

drwxrwx--- 1 codebot agents   246 Feb  6 16:27 codebot
drwxr-x--- 1 human   human   6570 Feb  8 20:00 human

Usage

At this point the codebot user account should be ready for use. An easy way to login from the human user account is to just use sudo with the requisite arguments.

sudo -iu claude

Given that this is a new user account some housekeeping will be required. Primarily, the coding agent CLI of choice will need to be configured again. Secondarily, other tools like git and language toolchains (cough Rust) will likely need some configuration attention as well.