sandbox filesystem denyRead not enforced for Read tool or Bash commands
Summary
The sandbox.filesystem.denyRead setting in settings.json is not enforced. Files outside the allowRead list can be read freely by both the built-in Read tool and Bash commands.
Environment
- Claude Code version: 2.1.92 (latest as of restart)
- OS: Linux (Arch, kernel 6.19.11-zen1-1-zen)
- Shell: zsh
Config (~/.claude/settings.json — filesystem section)
"sandbox": {
"enabled": true,
"allowUnsandboxedCommands": false,
"filesystem": {
"allowWrite": [
"~/.claude",
"~/.claude.json",
"~/.config/gh"
],
"denyRead": [
"/home/dan"
],
"allowRead": [
".",
"~/.claude",
"~/.claude.json",
"~/.config/gh",
"~/.gitconfig",
"~/.ssh/config",
"~/.ssh/known_hosts"
]
}
}
Note: was previously "~/" in denyRead, changed to /home/dan to rule out tilde expansion issues. Neither value had any effect.
Steps to reproduce
- Set
sandbox.filesystem.denyReadto["/home/dan"](or["~/"]) in~/.claude/settings.json - Set
sandbox.filesystem.allowReadto a list that does not include~/.bashrc - Fully restart Claude Code
- Ask Claude to read
~/.bashrcusing the Read tool
Expected behavior
Read is blocked — Claude receives a permission denied error.
Actual behavior
~/.bashrc is returned successfully. The deny rule has no effect. The same is true for Bash commands (e.g. cat ~/.gitconfig also succeeds despite not being in allowRead).
Additional notes
The permissions.deny entries (e.g. "Read(~/.ssh/**)") do appear to work correctly — this issue is specific to the sandbox.filesystem.denyRead mechanism.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗