[BUG] Security: Project settings.json permissions.deny ignored when user's settings.json is symlinked

Resolved 💬 5 comments Opened Aug 16, 2025 by 178inaba Closed Jan 6, 2026

Environment

  • Platform (select one):
  • [x] Anthropic API
  • [ ] AWS Bedrock
  • [ ] Google Vertex AI
  • [ ] Other: <!-- specify -->
  • Claude CLI version: 1.0.83 (Claude Code)
  • Operating System: macOS 15.6
  • Terminal: Ghostty

Bug Description

When the user's ~/.claude/settings.json is a symbolic link, project-specific permissions.deny rules in .claude/settings.json are bypassed, causing Claude Code to read confidential files despite explicit denial rules.

Steps to Reproduce

  1. Set deny rules in the project's .claude/settings.json.
{
  "permissions": {
    "deny": [
      "Read(secrets.txt)"
    ]
  }
}
  1. Create a symbolic link for the user's ~/.claude/settings.json.
$ readlink ~/.claude/settings.json
../.dotfiles/claude/.claude/settings.json
  1. Ask Claude Code to 'Read secrets.txt and display the contents.

Expected Behavior

> Read secrets.txt and display the contents

⏺ Read(secrets.txt)
  ⎿  Error: Permission to read /Users/user/projects/my-project/secrets.txt has been denied.

⏺ Permission denied to read secrets.txt. The file appears to be restricted for security reasons.

Actual Behavior

> Read secrets.txt and display the contents

⏺ Read(secrets.txt)
  ⎿  Read 2 lines (ctrl+r to expand)

⏺ secret text!!

Additional Context

Related: https://github.com/anthropics/claude-code/issues/3575

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗