sandbox filesystem denyRead not enforced for Read tool or Bash commands

Resolved 💬 3 comments Opened Apr 6, 2026 by m8-t Closed Jun 3, 2026

Summary

The sandbox.filesystem.denyRead setting in settings.json is not enforced. Files outside the allowRead list can be read freely by both the built-in Read tool and Bash commands.

Environment

  • Claude Code version: 2.1.92 (latest as of restart)
  • OS: Linux (Arch, kernel 6.19.11-zen1-1-zen)
  • Shell: zsh

Config (~/.claude/settings.json — filesystem section)

"sandbox": {
  "enabled": true,
  "allowUnsandboxedCommands": false,
  "filesystem": {
    "allowWrite": [
      "~/.claude",
      "~/.claude.json",
      "~/.config/gh"
    ],
    "denyRead": [
      "/home/dan"
    ],
    "allowRead": [
      ".",
      "~/.claude",
      "~/.claude.json",
      "~/.config/gh",
      "~/.gitconfig",
      "~/.ssh/config",
      "~/.ssh/known_hosts"
    ]
  }
}

Note: was previously "~/" in denyRead, changed to /home/dan to rule out tilde expansion issues. Neither value had any effect.

Steps to reproduce

  1. Set sandbox.filesystem.denyRead to ["/home/dan"] (or ["~/"]) in ~/.claude/settings.json
  2. Set sandbox.filesystem.allowRead to a list that does not include ~/.bashrc
  3. Fully restart Claude Code
  4. Ask Claude to read ~/.bashrc using the Read tool

Expected behavior

Read is blocked — Claude receives a permission denied error.

Actual behavior

~/.bashrc is returned successfully. The deny rule has no effect. The same is true for Bash commands (e.g. cat ~/.gitconfig also succeeds despite not being in allowRead).

Additional notes

The permissions.deny entries (e.g. "Read(~/.ssh/**)") do appear to work correctly — this issue is specific to the sandbox.filesystem.denyRead mechanism.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗