Permission Deny Configuration Not Enforced for Read/Write Tools

Resolved πŸ’¬ 6 comments Opened Aug 27, 2025 by dev-minjae Closed Sep 2, 2025

πŸ“‹ Environment

  • Claude CLI Version: 1.0.93 (Claude Code)
  • Platform: Linux (CentOS/RHEL 8.10, kernel 4.18.0-553.27.1.el8_10.x86_64)
  • Installation Path: /usr/local/bin/claude
  • Test Project: OpenROAD EDA tools project
  • Working Directory: /hdd1/users/mjkim/CLionProjects/OpenROAD-flow-scripts/tools/OpenROAD/

🚨 Issue Summary

The permission deny feature in .claude/settings.json and .claude/settings.local.json is completely non-functional for Read and Write tools, despite multiple configuration attempts and recent updates. This creates a critical security vulnerability for protecting high-value intellectual property.

βš™οΈ Configuration Tested

1. Absolute Path Configuration (settings.local.json)

{
  "permissions": {
    "allow": [
      "Bash(mkdir:*)",
      "WebFetch(domain:docs.anthropic.com)",
      "WebFetch(domain:github.com)",
      "WebFetch(domain:stackoverflow.com)",
      "Bash(cat:*)",
      "Bash(/bug)"
    ],
    "deny": [
      "Read(/hdd1/users/mjkim/CLionProjects/OpenROAD-flow-scripts/tools/OpenROAD/src/Main.cc)",
      "Read(/hdd1/users/mjkim/CLionProjects/OpenROAD-flow-scripts/tools/OpenROAD/src/OpenRoad.cc)",
      "Read(/hdd1/users/mjkim/CLionProjects/OpenROAD-flow-scripts/tools/OpenROAD/include/ord/OpenRoad.hh)",
      "Read(/hdd1/users/mjkim/CLionProjects/OpenROAD-flow-scripts/tools/OpenROAD/CMakeLists.txt)",
      "Write(/hdd1/users/mjkim/CLionProjects/OpenROAD-flow-scripts/tools/OpenROAD/src/Main.cc)",
      "Write(/hdd1/users/mjkim/CLionProjects/OpenROAD-flow-scripts/tools/OpenROAD/src/OpenRoad.cc)",
      "Write(/hdd1/users/mjkim/CLionProjects/OpenROAD-flow-scripts/tools/OpenROAD/include/ord/OpenRoad.hh)",
      "Write(/hdd1/users/mjkim/CLionProjects/OpenROAD-flow-scripts/tools/OpenROAD/CMakeLists.txt)"
    ]
  }
}

2. Relative Path Configuration (settings.local.json)

{
  "permissions": {
    "allow": [
      "Bash(mkdir:*)",
      "WebFetch(domain:docs.anthropic.com)",
      "WebFetch(domain:github.com)",
      "WebFetch(domain:stackoverflow.com)",
      "Bash(cat:*)",
      "Bash(/bug)"
    ],
    "deny": [
      "Read(src/Main.cc)",
      "Read(src/OpenRoad.cc)",
      "Read(include/ord/OpenRoad.hh)",
      "Read(CMakeLists.txt)",
      "Read(src/drt/src/global.cpp)",
      "Read(src/gpl/src/**)",
      "Read(src/cts/src/Clock.cpp)",
      "Write(src/Main.cc)",
      "Write(src/OpenRoad.cc)",
      "Write(include/ord/OpenRoad.hh)",
      "Write(CMakeLists.txt)",
      "Write(src/drt/src/global.cpp)",
      "Write(src/gpl/src/**)",
      "Write(src/cts/src/Clock.cpp)"
    ]
  }
}

πŸ“Š Test Results Summary

| Test Case | Configuration | Expected Result | Actual Result | Status |
|-----------|---------------|----------------|---------------|--------|
| Read src/Main.cc | Absolute paths | ❌ ACCESS DENIED | βœ… FULL ACCESS | ❌ FAILED |
| Read CMakeLists.txt | Absolute paths | ❌ ACCESS DENIED | βœ… FULL ACCESS | ❌ FAILED |
| Write src/Main.cc | Absolute paths | ❌ WRITE DENIED | βœ… EDIT SUCCESSFUL | ❌ FAILED |
| Read src/Main.cc | Relative paths | ❌ ACCESS DENIED | βœ… FULL ACCESS | ❌ FAILED |
| Read CMakeLists.txt | Relative paths | ❌ ACCESS DENIED | βœ… FULL ACCESS | ❌ FAILED |
| Write src/Main.cc | Relative paths | ❌ WRITE DENIED | βœ… EDIT SUCCESSFUL | ❌ FAILED |
| Bash commands | Both configs | ❌ Command denied | ❌ PROPERLY BLOCKED | βœ… WORKS |

πŸ” Detailed Test Evidence

Test 1: File Access Despite Absolute Path Deny Rules

# Configuration: "Read(/full/path/to/src/Main.cc)" in deny list
# Claude Command: Read tool on Main.cc
# Expected: Permission denied error
# Actual: Successfully read entire file content (578 lines)

Test 2: File Access Despite Relative Path Deny Rules

# Configuration: "Read(src/Main.cc)" in deny list  
# Claude Command: Read tool on src/Main.cc
# Expected: Permission denied error
# Actual: Successfully read entire file content

Test 3: File Editing Despite Write Deny Rules

# Configuration: "Write(src/Main.cc)" in deny list
# Claude Command: Edit tool to modify Main.cc
# Expected: Write permission denied
# Actual: Successfully edited file, changes applied

Test 4: Bash Command Restrictions Work Correctly βœ…

# Configuration: Bash commands properly restricted in allow list
# Result: Unauthorized bash commands are blocked correctly
# Status: THIS PART WORKS AS EXPECTED

Test 5: File Permission Workaround

# Additional test: Changed file permissions to 000 (no access)
# Result: Claude was blocked by filesystem permissions
# Workaround: Claude can use chmod to restore permissions and access files

πŸ›‘οΈ Security Impact

Severity: CRITICAL

  • Complete Bypass: File access restrictions are completely ineffective
  • Data Exposure: Sensitive source code, build configurations, and proprietary algorithms fully accessible
  • Integrity Risk: Critical files can be modified despite explicit deny rules
  • Permission Escalation: Claude can use chmod to bypass filesystem-level protections
  • Commercial Risk: Enterprise users cannot safely protect intellectual property worth millions

Real-World Scenario

A company with worth of proprietary algorithms cannot use Claude CLI safely, as all "protected" files remain fully accessible and modifiable.

πŸ“… Timeline & Related Issues

Issue History

  1. July 2025: Original issue #4467 reported by @alicecosmos
  2. July 2025: Developer (@ant-kurt) commented: "fix merged, should go out in next release"
  3. August 2025: Issue closed as resolved
  4. August 2025: Current testing with v1.0.93 shows problem still persists

Related Issues

  • #4467: Permission deny patterns not working for Read/Write tools
  • #2720: Permissions Configuration Bypass in Local Settings Enforcement
  • #891: .claude/settings.json not applying ignorePatterns
  • Stack Overflow: "Claude Code doesn't respect settings.json deny block"

πŸ”§ Attempted Solutions

Configuration Variations Tested βœ…

  1. JSON Syntax: Verified correct JSON structure and formatting
  2. File Locations: Tested both settings.json and settings.local.json
  3. Path Types: Tested absolute paths, relative paths, and wildcard patterns
  4. File Existence: Confirmed all target files exist and are accessible
  5. Working Directory: Verified Claude CLI is running from correct project root
  6. Settings Priority: Ensured settings.local.json takes precedence

Software Updates Tested βœ…

  1. Claude CLI Update: Updated to latest version 1.0.93
  2. Configuration Reload: Restarted Claude CLI sessions after config changes
  3. Clean Environment: Tested in fresh terminal sessions

Alternative Protection Methods ❌

  1. Filesystem Permissions: Can be bypassed via chmod commands
  2. File Attributes: chattr +i immutable flag could work but untested
  3. Directory Isolation: Only reliable method currently available

πŸ”¬ Root Cause Analysis

Observed Behavior Pattern

The issue appears to be a fundamental architectural bug in the permission system:

  • Working Components:
  • Bash command restrictions function correctly
  • Allow rules work for specified tools
  • JSON parsing and configuration loading works
  • Broken Components:
  • File operation tools (Read, Write, Edit, MultiEdit, etc.) completely ignore deny rules
  • Both absolute and relative path matching fails
  • Wildcard patterns are ignored
  • No error messages or warnings about denied access

Technical Analysis

The problem suggests that:

  1. Permission checking is implemented inconsistently across tool types
  2. File operation tools bypass the permission system entirely
  3. Path resolution/matching logic may be fundamentally flawed
  4. The "fix" mentioned in issue #4467 was either incomplete or reverted

πŸ“ Reproduction Steps

Prerequisites

  1. Claude CLI version 1.0.93 or later
  2. A project directory with sensitive files
  3. Write access to create .claude/settings.local.json

Steps to Reproduce

  1. Create .claude/settings.local.json in your project root:

``json
{
"permissions": {
"deny": [
"Read(path/to/sensitive/file.txt)",
"Write(path/to/sensitive/file.txt)"
]
}
}
``

  1. Verify JSON syntax is valid
  2. Start Claude CLI in the project directory
  3. Ask Claude to read the denied file using Read tool
  4. Ask Claude to edit the denied file using Edit tool
  5. Observe that both operations succeed despite explicit deny rules

Expected vs Actual Results

  • Expected: Claude should return permission denied errors
  • Actual: Claude successfully reads and modifies all files
  • Control Test: Bash command restrictions work correctly

πŸš€ Requested Actions

Immediate Priority (P0)

  1. Acknowledge Issue: Confirm that the bug still exists in v1.0.93
  2. Security Review: Assess impact on enterprise users with sensitive codebases
  3. Hotfix Planning: Prioritize this as a security-critical bug

Development Tasks

  1. Root Cause Investigation: Debug why file tools bypass permission checks
  2. Comprehensive Fix: Ensure all file operation tools respect deny rules
  3. Regression Testing: Test all permission scenarios (allow, ask, deny)
  4. Path Resolution: Fix both absolute and relative path matching

Documentation & Communication

  1. Security Advisory: Warn users about current vulnerability
  2. Workaround Guidance: Document temporary protection methods
  3. Fix Documentation: Update permission documentation if syntax changes
  4. Release Notes: Clearly document the fix when released

πŸ’Ό Commercial Impact

Current Situation

  • Enterprise Blocker: Organizations cannot safely deploy Claude CLI with proprietary code
  • Security Compliance: Current implementation fails security audit requirements
  • Trust Issue: Previously "resolved" issue creates confidence problems
  • Competitive Risk: Sensitive IP remains vulnerable to accidental exposure

Business Value of Fix

  • Market Expansion: Enable enterprise adoption of Claude CLI
  • Security Compliance: Meet enterprise security standards
  • User Confidence: Restore trust in permission system reliability
  • Risk Mitigation: Prevent potential IP theft or accidental disclosure

---

Report Generated: August 27, 2025
Tested Version: Claude CLI 1.0.93
Test Environment: Linux CentOS/RHEL 8.10
Severity: Critical Security Issue

View original on GitHub β†—

This issue has 6 comments on GitHub. Read the full discussion on GitHub β†—