[MODEL] dangerouslyDisableSandbox _sometimes_ bypasses permission prompts when tool is auto-approved

Resolved 💬 4 comments Opened Mar 17, 2026 by ryantology Closed Apr 15, 2026

Preflight Checklist

  • [x] I have searched existing issues for similar behavior reports
  • [x] This report does NOT contain sensitive information (API keys, passwords, etc.)

Type of Behavior Issue

Claude's behavior changed between sessions

What You Asked Claude to Do

I asked claude to commit and push files to git.

What Claude Actually Did

When in a sandbox environment, the model does not have access to Unix domain socket connect(). Due to this permission issue, git commands that require a signed commit AND the signing is using 1Password SSH commit signing the model will sometimes be blocked by permission checks.

In some sessions access is blocked by the sandbox and required to explicitly ask about dangerouslyDisableSandbox.
In other sessions the model silently bypassed it this and used dangerouslyDisableSandbox. Same settings, same allow list, different behavior.

Working with claude in different sessions to narrow down the issue it came up with a potential issue;

The inconsistency likely comes from how the model interprets the competing instructions: 1. System prompt says "immediately retry with dangerouslyDisableSandbox: true, don't ask" 2. Sandbox says "prompt the user for permission" 3. Auto-allow list says Bash(git *) is pre-approved

Expected Behavior

Either it should consistently ask for permissions, or bypass permissions.

The security implications of this particular bypass are limited.

The real issue is that it's not possible to allow access to the unix socket through allowedPermissions (will file separate issue for that)

Files Affected

Permission Mode

Accept Edits was ON (auto-accepting changes)

Can You Reproduce This?

Sometimes (intermittent)

Steps to Reproduce

  1. Setup 1password for ssh code signing https://developer.1password.com/docs/ssh/git-commit-signing/
  2. Add "Bash(git *)" to allow list.
  3. Run claude in sandbox mode:
 "sandbox": {
    "enabled": true,
    "autoAllowBashIfSandboxed": true
  }```
4. Ask claude to commit code.

### Claude Model

Opus

### Relevant Conversation

```markdown

Impact

Medium - Extra work to undo changes

Claude Code Version

2.1.76 (Claude Code)

Platform

Anthropic API

Additional Context

It seems to throw an error more when working inside a worktree. When working on a branch from the main repo checkout, the permissions are bypassed without asking. I did not even know the bypass was happening until I started working in worktrees and then the error was happening and I started to investigate.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗