[BUG] Edit(.git/**) permission doesn't allow git to write .git/config in sandbox
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
When Edit(.git/**) is added to permissions.allow in settings, git commands running in the sandbox still cannot write to .git/config. This occurs during git push --set-upstream when git tries to save the tracking branch configuration.
According to issue #10377, Edit() allow rules should extend filesystem write permissions for bash commands in the sandbox. However, this doesn't appear to work for .git/ directories.
Key finding: Running the same command with dangerouslyDisableSandbox: true works without error, confirming this is a sandbox permission issue.
What Should Happen?
With Edit(.git/**) in the permissions allow list, git commands should be able to write to .git/config without errors.
Error Messages/Logs
# Sandboxed (fails):
$ git push --set-upstream origin branch-name
branch 'branch-name' set up to track 'origin/branch-name'.
To https://github.com/user/repo.git
abc1234..def5678 branch-name -> branch-name
error: could not write config file .git/config: Operation not permitted
error: could not write config file .git/config: Operation not permitted
# Unsandboxed (works):
$ git push --set-upstream origin branch-name
branch 'branch-name' set up to track 'origin/branch-name'.
Everything up-to-date
Note: The push itself succeeds even when sandboxed, but the local config write fails.
Steps to Reproduce
- Enable sandbox in
~/.claude/settings.json:
{
"sandbox": {
"enabled": true,
"autoAllowBashIfSandboxed": true
},
"permissions": {
"allow": [
"Edit(.git/**)"
]
}
}
- Restart Claude Code
- Run
git push --set-upstream origin <branch>via Claude Code
- Observe the push succeeds but
.git/configwrite fails with "Operation not permitted"
- Run the same command with
dangerouslyDisableSandbox: true- it works without error
Configuration Used
{
"sandbox": {
"enabled": true,
"autoAllowBashIfSandboxed": true,
"network": {
"allowLocalBinding": true
}
},
"permissions": {
"allow": [
"Edit(.git/**)",
"Edit(.claude/**)"
]
}
}
Claude Model
Opus (claude-opus-4-5-20251101)
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
Latest (as of 2025-12-06)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
- The push to remote succeeds; only the local
.git/configwrite fails - Workaround: Add
git:*toexcludedCommands(note: requires:*suffix per #10524), but this requires addingBash(git:*)to permissions.allow to avoid prompts on every git command - Related issues: #10377 (documents Edit() should work for bash writes), #11481 (mentions same error but focuses on network)
- The error is cosmetic but causes confusion and noise in the output
Possible causes:
Edit(.git/**)relative path not resolving correctly against the absolute path git uses.git/being treated specially by the sandbox- The permission check happening before path normalization
19 Comments
Happens to me too ☹️
It probably works if Claude uses the Edit tool rather than executing git.
I think this is a very reasonable use case that should be supported. I should have the option to allow sandbox to write in the .git subfolder if I wanted to.
As far as I can tell this isn't exclusive to
.git- at least on Linux. This can be _really_ annoying for applications that rely on the~/.cachedirectory, like bazel (similar to https://github.com/anthropics/claude-code/issues/10221).My expectation would be that when we add
Edit- we can get something that appears as a--bindmount inbwrap, but that doesn't seem to be the case. When I look at the bwrap invocation under the hood, it looks like we only get binds for/tmp/claude, a logs directory, and the current working directory. Using/add-diralso doesn't seem to influence the mounts on bwrap. This is _such_ a great feature to make sure teams are interacting with claude securely, but it needs a few extra knobs.This is still a problem :(
I have this issue as well with version 2.1.17
Happens on 2.1.42 still. Can't confirm, but I think there's a default deny that overrides any attempt to allow.
My claude can't even
git push --set-upstreamnow, because all edits to.git/configare blocked with no option for me to give permission in any way I can find?IMO this is now solved with more recent changes to sandbox settings. Specifically for git, you can add the directory to
filesystem.allowWrite. Docs can be found here.For my specific issue with cache, I keep
~/.cachein my allowWrite config.@lior-airis Maybe give this a try on your setup (if you haven't already) and this could be closed?
I think this is still a problem but I'm closing this anyway because of auto mode which is probably a better way to solve the permissions problem
I already added
.git/configtoallowWrite, it does not resolve the issue.@lior-airis What is the follow-up issue to track when this misbehaviour is resolved?
I don't know, sorry. I would recommend using auto mode instead of sandbox in the future.
Auto mode is not available to Pro and Max users (docs).
Auto mode is still a non-deterministic, LLM-as-judge setup.
For many users, programmatic hooks and sandboxing is still the preferred or necessary option.
@bryan-omalley-motional Apologies if I was too hasty in that recommendation. I'm surprised that it could give access to the cache, but not
.git. Can you show your settings? Is this on mac or linux?This is on MacOS.
I'll eat my words. I couldn't poke at the implementation in macos, but in linux I was able to poke at the mounts that it adds at the end.
Notably, regardless of your configuration, it _is_ specifically blotting out .git/config. Apologies - I didn't expect that.
It's especially bizarre because the edit tool _does_ seem to be perfectly capable of modifying .git/config. I'm guessing this is to try and prevent data exfiltration if claude was tricked into modifying your upstream?
You could commit some war crimes to sneak around this on linux - like creating a
bwrapshim that re-introduces your write mount at the end. I'm not sure how you'd escape this on macos other than doing something extreme - like usingjjinstead of git.This issue has been automatically locked since it was closed and has not had any activity for 7 days. If you're experiencing a similar issue, please file a new issue and reference this one if it's relevant.