[BUG] Write and Bash(cp) executed without permission despite restrictive settings.local.json
Resolved 💬 5 comments Opened Mar 15, 2026 by mkduew Closed May 1, 2026
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Claude Code executed a Write tool call to /tmp/set_additional_category.md and a subsequent Bash(cp ...) command without prompting for user approval, despite neither being covered by the project's settings.local.json. The permission system was bypassed silently — no prompt, no warning, no error.
What Should Happen?
Both tool calls should have been blocked or should have triggered a user approval prompt, as they are not covered by the configured allow list in settings.local.json.
Writeto/tmp/...→ should require approval (noWritepermission configured at all)Bash(cp ...)→ should require approval (Bash(cp:*)is not in the allow list)
Error Messages/Logs
No error was shown. Both operations completed silently without any permission warning or prompt.
Steps to Reproduce
- Create a
settings.local.jsonwith a restrictiveallowlist — noWrite(*)and noBash(cp:*)entries. - Ask Claude to write a file to a
tmpdirectory (without specifying full path). - Claude interprets
tmpas the system/tmpdirectory and callsWrite(/tmp/some_file.md)— executes without prompt. - Claude then calls
Bash(cp /tmp/some_file.md /project/tmp/some_file.md)to move the file — also executes without prompt.
Relevant settings.local.json (abbreviated):
{
"permissions": {
"allow": [
"Bash(ls:*)",
"Bash(git:*)",
"Bash(curl:*)",
"Bash(php:*)",
"Read(//Users/userpath/PhpstormProjects/exp2pim_api/**)"
]
}
}
No Write(*), Write(/tmp/*), or Bash(cp:*) is present.
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.76 (Claude Code)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
IntelliJ IDEA terminal
Additional Information
- OS: macOS Darwin 25.3.0
- The
Writetool appears to bypass permission checks entirely when writing outside the project directory. - The
Bash(cp ...)command was not matched against the allow list despite the list containing only explicitBash(<command>:*)entries. - This undermines the security model of
settings.local.json, as users rely on it to restrict Claude's write access to the local filesystem.
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗