Sandbox filesystem allowlist does not match UID-suffixed temp directory path

Resolved 💬 3 comments Opened Feb 5, 2026 by nakt Closed Feb 8, 2026

Bug Description

The sandbox filesystem write allowlist includes /tmp/claude and /private/tmp/claude, but at runtime the actual temp directory used is /tmp/claude-501/ (with a UID suffix). This mismatch causes operation not permitted errors on every Bash tool call when sandbox mode is enabled.

Steps to Reproduce

  1. Enable sandbox in settings:

``json
"sandbox": {
"enabled": true,
"autoAllowBashIfSandboxed": true
}
``

  1. Run any Bash command (e.g., ls)

Actual Behavior

Every Bash call produces an error like:

zsh:1: operation not permitted: /tmp/claude-501/cwd-de64

The command output is still captured, but the exit code is 1. This causes cascading Sibling tool call errored failures when multiple tools are called in parallel, since one failure cancels all sibling calls.

Expected Behavior

The sandbox write allowlist should include the UID-suffixed temp directory (/tmp/claude-<UID>/), or the temp directory path should match the allowlist entry (/tmp/claude/).

Environment

  • OS: macOS (Darwin 24.6.0)
  • Claude Code version: Latest (as of 2025-02-05)
  • Shell: zsh

Analysis

The sandbox filesystem write allowlist (from the system prompt) includes:

"/tmp/claude",
"/private/tmp/claude",

But the actual TMPDIR / working temp path used at runtime is /tmp/claude-501/ (where 501 is the macOS default user UID). The cwd tracking file (/tmp/claude-501/cwd-*) write is blocked by the sandbox, causing the error.

Workaround

Using dangerouslyDisableSandbox: true on Bash calls avoids the error, but this defeats the purpose of sandbox mode.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗