Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix Allow configurable file permissions (chmod 0o640/0o750) for multi-user setups [1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#56263Fetched 2026-04-08 01:43:01
View on GitHub
Comments
0
Participants
1
Timeline
0
Reactions
0
Author
benjaminwoodbenjaminwood
Participants
benjaminwoodbenjaminwood

Fix Action

Fix / Workaround

The chmod calls strip group read bits and ACL masks, making it impossible for a non-owner user in the same group to read OpenClaw-managed files without a workaround.

Code Example

{
  "security": {
    "fileMode": "0640",
    "dirMode": "0750"
  }
}
RAW_BUFFERClick to expand / collapse

Problem

OpenClaw hardcodes chmod 0o600 on files and 0o700 on directories after every write. This breaks multi-user container setups where a second user in the same group needs read access to state files (e.g., device-auth.json, cron store, session transcripts).

The chmod calls strip group read bits and ACL masks, making it impossible for a non-owner user in the same group to read OpenClaw-managed files without a workaround.

Affected Code

The pattern appears throughout the codebase:

  • src/infra/json-file.tssaveJsonFile() calls chmodSync(0o600) on every write
  • src/infra/json-files.ts — async variant, same pattern
  • src/infra/device-auth-store.tsdevice-auth.json chmod on every write
  • src/config/io.ts — config file writes
  • src/config/backup-rotation.ts — backup files
  • src/cron/store.ts — cron job store
  • src/security/fix.tschmodCredentialsAndAgentState() walks agent dirs

Use Case

Running OpenClaw in a Docker container where:

  • Owner (ben) runs the gateway
  • A second user (eldar) in the same group runs an AI agent that needs to read OpenClaw state files
  • Linux ACLs or group permissions (0o640/0o750) are used to share access

Every time OpenClaw writes a file, it chmods back to 0o600, breaking the group access.

Proposed Solution

Add a config option to control file permission behavior, e.g.:

{
  "security": {
    "fileMode": "0640",
    "dirMode": "0750"
  }
}

Or an env var like OPENCLAW_FILE_MODE=0640 OPENCLAW_DIR_MODE=0750.

Alternatively, a simple OPENCLAW_SKIP_CHMOD=1 to disable all post-write chmod calls and let the OS/admin manage permissions.

Notes

  • 0o640 (owner rw, group r) is a standard and secure pattern used by many services (nginx, PostgreSQL, systemd units)
  • OpenClaw never calls chown, only chmod — so ownership is already managed externally
  • The current 0o600 default is fine for single-user setups and should remain the default

extent analysis

Fix Plan

To address the issue, we will introduce a new configuration option to control file permission behavior. We will add two new properties to the security section in the configuration file: fileMode and dirMode. These properties will allow users to specify the desired file and directory permissions.

Step-by-Step Solution

  1. Add configuration properties: Add the following properties to the security section in the configuration file:

{ "security": { "fileMode": "0640", "dirMode": "0750" } }

   Alternatively, you can use environment variables:
   ```bash
OPENCLAW_FILE_MODE=0640 OPENCLAW_DIR_MODE=0750
  1. Update saveJsonFile() function: Modify the saveJsonFile() function in src/infra/json-file.ts to use the new configuration properties:

import { getConfig } from './config';

const config = getConfig(); const fileMode = parseInt(config.security.fileMode, 8); const dirMode = parseInt(config.security.dirMode, 8);

// ...

fs.writeFileSync(filePath, JSON.stringify(data, null, 2)); fs.chmodSync(filePath, fileMode);

3. **Update other affected functions**:
   Apply similar changes to the other functions that use `chmodSync()`, such as `saveJsonFiles()` in `src/infra/json-files.ts`, `device-auth.json` handling in `src/infra/device-auth-store.ts`, and others.
4. **Add support for `OPENCLAW_SKIP_CHMOD` environment variable**:
   Introduce a check for the `OPENCLAW_SKIP_CHMOD` environment variable and skip the `chmodSync()` calls if it is set to `1`.

### Verification
To verify that the fix worked, you can:

* Run OpenClaw in a Docker container with the new configuration.
* Check the file permissions after writing to ensure they match the specified `fileMode` and `dirMode`.
* Test the access for the second user (`eldar`) in the same group to ensure they can read the OpenClaw state files.

### Extra Tips
* Make sure to update the documentation to reflect the new configuration options and environment variables.
* Consider adding a default value for `fileMode` and `dirMode` to ensure backward compatibility.
* You can use a library like `chmod` to handle permission changes in a more robust way.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#installation#tensor shape#autograd error#container setup

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING