[BUG] Security: Project settings.json permissions.deny ignored when user's settings.json is symlinked
Resolved 💬 5 comments Opened Aug 16, 2025 by 178inaba Closed Jan 6, 2026
Environment
- Platform (select one):
- [x] Anthropic API
- [ ] AWS Bedrock
- [ ] Google Vertex AI
- [ ] Other: <!-- specify -->
- Claude CLI version: 1.0.83 (Claude Code)
- Operating System: macOS 15.6
- Terminal: Ghostty
Bug Description
When the user's ~/.claude/settings.json is a symbolic link, project-specific permissions.deny rules in .claude/settings.json are bypassed, causing Claude Code to read confidential files despite explicit denial rules.
Steps to Reproduce
- Set deny rules in the project's
.claude/settings.json.
{
"permissions": {
"deny": [
"Read(secrets.txt)"
]
}
}
- Create a symbolic link for the user's
~/.claude/settings.json.
$ readlink ~/.claude/settings.json
../.dotfiles/claude/.claude/settings.json
- Ask Claude Code to 'Read secrets.txt and display the contents.
Expected Behavior
> Read secrets.txt and display the contents
⏺ Read(secrets.txt)
⎿ Error: Permission to read /Users/user/projects/my-project/secrets.txt has been denied.
⏺ Permission denied to read secrets.txt. The file appears to be restricted for security reasons.
Actual Behavior
> Read secrets.txt and display the contents
⏺ Read(secrets.txt)
⎿ Read 2 lines (ctrl+r to expand)
⏺ secret text!!
Additional Context
Related: https://github.com/anthropics/claude-code/issues/3575
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗