[BUG] rm command bypasses permission system on Linux (works correctly on Windows)

Resolved 💬 4 comments Opened Jan 16, 2026 by akonopcz Closed Jan 16, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

The rm command executes without prompting for permission when auto-accept is enabled on Linux systems, even though no general Bash permission or rm-specific permission is configured in settings. This only affects Linux - the permission system works correctly on Windows PowerShell.

What Should Happen?

The rm command should prompt for permission (like it does on Windows) when:

  • Auto-accept is enabled
  • Only limited Bash permissions are configured (e.g., Bash(gitleaks detect:*)) - No general rm permission exists in settings

Error Messages/Logs

No error messages - the command executes successfully without prompting.

Steps to Reproduce

  1. Enable auto-accept in Claude Code CLI
  2. Verify your ~/.claude/projects/<project>/settings.local.json only contains limited permissions:

{
"permissions": {
"allow": [
"WebFetch(domain:github.com)",
"mcp__context7__query-docs",
"Bash(gitleaks detect:*)"
]
}
}

  1. Start a Claude Code session in a project directory
  2. Ask Claude: "Create a test file called DELETE_ME.txt"
  3. Ask Claude: "Delete DELETE_ME.txt using rm"
  4. Observe that rm executes without permission prompt

Reproduced on:

  • Arch Linux: 3/3 attempts
  • WSL (Ubuntu): 1/1 attempts
  • Windows PowerShell: 0/1 (works correctly - prompt appears)

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

N/A

Claude Code Version

2.1.9 (Claude Code)

Platform

Anthropic API

Operating System

Other Linux

Terminal/Shell

Other

Additional Information

This appears to be a Linux-specific security bug. The permission system correctly catches rm/del commands on Windows but fails on Linux-based systems. This could potentially allow unintended file deletion when auto-accept is enabled.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗