[MODEL] dangerouslyDisableSandbox _sometimes_ bypasses permission prompts when tool is auto-approved
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Claude's behavior changed between sessions
What You Asked Claude to Do
I asked claude to commit and push files to git.
What Claude Actually Did
When in a sandbox environment, the model does not have access to Unix domain socket connect(). Due to this permission issue, git commands that require a signed commit AND the signing is using 1Password SSH commit signing the model will sometimes be blocked by permission checks.
In some sessions access is blocked by the sandbox and required to explicitly ask about dangerouslyDisableSandbox.
In other sessions the model silently bypassed it this and used dangerouslyDisableSandbox. Same settings, same allow list, different behavior.
Working with claude in different sessions to narrow down the issue it came up with a potential issue;
The inconsistency likely comes from how the model interprets the competing instructions: 1. System prompt says "immediately retry with dangerouslyDisableSandbox: true, don't ask" 2. Sandbox says "prompt the user for permission" 3. Auto-allow list says Bash(git *) is pre-approved
Expected Behavior
Either it should consistently ask for permissions, or bypass permissions.
The security implications of this particular bypass are limited.
The real issue is that it's not possible to allow access to the unix socket through allowedPermissions (will file separate issue for that)
Files Affected
Permission Mode
Accept Edits was ON (auto-accepting changes)
Can You Reproduce This?
Sometimes (intermittent)
Steps to Reproduce
- Setup 1password for ssh code signing https://developer.1password.com/docs/ssh/git-commit-signing/
- Add
"Bash(git *)"to allow list. - Run claude in sandbox mode:
"sandbox": {
"enabled": true,
"autoAllowBashIfSandboxed": true
}```
4. Ask claude to commit code.
### Claude Model
Opus
### Relevant Conversation
```markdown
Impact
Medium - Extra work to undo changes
Claude Code Version
2.1.76 (Claude Code)
Platform
Anthropic API
Additional Context
It seems to throw an error more when working inside a worktree. When working on a branch from the main repo checkout, the permissions are bypassed without asking. I did not even know the bypass was happening until I started working in worktrees and then the error was happening and I started to investigate.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗