Sandbox filesystem allowlist does not match UID-suffixed temp directory path
Bug Description
The sandbox filesystem write allowlist includes /tmp/claude and /private/tmp/claude, but at runtime the actual temp directory used is /tmp/claude-501/ (with a UID suffix). This mismatch causes operation not permitted errors on every Bash tool call when sandbox mode is enabled.
Steps to Reproduce
- Enable sandbox in settings:
``json``
"sandbox": {
"enabled": true,
"autoAllowBashIfSandboxed": true
}
- Run any Bash command (e.g.,
ls)
Actual Behavior
Every Bash call produces an error like:
zsh:1: operation not permitted: /tmp/claude-501/cwd-de64
The command output is still captured, but the exit code is 1. This causes cascading Sibling tool call errored failures when multiple tools are called in parallel, since one failure cancels all sibling calls.
Expected Behavior
The sandbox write allowlist should include the UID-suffixed temp directory (/tmp/claude-<UID>/), or the temp directory path should match the allowlist entry (/tmp/claude/).
Environment
- OS: macOS (Darwin 24.6.0)
- Claude Code version: Latest (as of 2025-02-05)
- Shell: zsh
Analysis
The sandbox filesystem write allowlist (from the system prompt) includes:
"/tmp/claude",
"/private/tmp/claude",
But the actual TMPDIR / working temp path used at runtime is /tmp/claude-501/ (where 501 is the macOS default user UID). The cwd tracking file (/tmp/claude-501/cwd-*) write is blocked by the sandbox, causing the error.
Workaround
Using dangerouslyDisableSandbox: true on Bash calls avoids the error, but this defeats the purpose of sandbox mode.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗