Claude config path should be configurable (security/sandboxing blocker)

Open 💬 0 comments Opened Jul 9, 2026 by pascals-ager

Problem

Claude Code hardcodes its configuration at ~/.claude.json without any way to configure this path. This requires granting write access to the entire home directory, which is a security concern for restricted environments.

Current Behavior

  • Claude writes to ~/.claude.json (and temp files like ~/.claude.json.lock, ~/.claude.json.tmp.*)
  • No configuration mechanism to redirect this path
  • CLAUDE_HOME environment variable does not work (or is incomplete)
  • To run Claude in sandboxes or restricted environments, users must grant write access to ~ (home root)

Expected Behavior

Claude should support one of:

  1. CLAUDE_HOME environment variable that properly redirects all config/state paths
  2. A CLI flag like --config-dir to specify where to store claude.json
  3. An XDG Base Directory spec implementation (XDG_CONFIG_HOME, XDG_STATE_HOME, etc.)

Why This Matters

  • Security: Granting write access to entire home directory is overly permissive
  • Sandboxing: Tools like nono, firejail, and container runtimes cannot properly restrict Claude without this
  • Compliance: Regulated environments need finer-grained permission control
  • Precedent: Other CLI tools (node, python, go, etc.) support configurable data directories

Impact

Users who need to run Claude in restricted/sandboxed environments (security scanning, compliance testing, containerized dev environments) are blocked.

View original on GitHub ↗