Issue Station
Sign In
Tools hereToolbox

claude-code - 💡(How to fix) Fix [BUG] sandbox.filesystem.allowWrite does not permit unlink / rm on macOS [1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
anthropics/claude-code#52322Fetched 2026-04-24 06:10:14
View on GitHub
Comments
1
Participants
2
Timeline
6
Reactions
0
Author
mb21mb21
Participants
github-actions[bot]github-actions[bot]mb21mb21
Timeline (top)
labeled ×4commented ×1cross-referenced ×1

With sandbox.filesystem.allowWrite including a path, content writes (Edit/Write tools, touch, redirects) succeed on files under that path, but rm on the same path is rejected by the macOS Seatbelt profile with Operation not permitted. It's unclear whether this is intended behavior, a documentation gap, or a bug in the Seatbelt policy.

Error Message

Error Messages/Logs

Exit code 1; the error comes from the kernel / Seatbelt, not a Claude Code permission prompt.

Root Cause

With sandbox.filesystem.allowWrite including a path, content writes (Edit/Write tools, touch, redirects) succeed on files under that path, but rm on the same path is rejected by the macOS Seatbelt profile with Operation not permitted. It's unclear whether this is intended behavior, a documentation gap, or a bug in the Seatbelt policy.

Code Example

## Actual

Neither. `allowWrite` silently excludes `unlink` and no alternative key is documented. Users end up with a sandbox where the agent can create and modify files but cannot clean them up.

---

{
  "sandbox": {
    "enabled": true,
    "allowUnsandboxedCommands": false,
    "failIfUnavailable": true,
    "filesystem": {
      "allowWrite": ["/tmp/claude-501", "/Users/me/code/myrepo"],
      "allowRead": ["/tmp/claude-501", "~/.gitconfig", "/Users/me/code/myrepo"],
      "denyWrite": ["/"],
      "denyRead": ["/"]
    }
  }
}

---

rm: ./some/file.ts: Operation not permitted
RAW_BUFFERClick to expand / collapse

Preflight Checklist

  • I have searched existing issues and this hasn't been reported yet
  • This is a single bug report (please file separate reports for different bugs)
  • I am using the latest version of Claude Code

What's Wrong?

Summary

With sandbox.filesystem.allowWrite including a path, content writes (Edit/Write tools, touch, redirects) succeed on files under that path, but rm on the same path is rejected by the macOS Seatbelt profile with Operation not permitted. It's unclear whether this is intended behavior, a documentation gap, or a bug in the Seatbelt policy.

Environment

  • macOS (Darwin 24.6.0)
  • Claude Code for VSCode 2.1.117

Questions

  1. Is unlink intentionally excluded from allowWrite?
  2. If yes, what's the recommended config to permit deletes inside a specific directory without dropping denyWrite: ["/"]?
  3. If no, is this a Seatbelt policy bug?

What Should Happen?

Expected

Either:

  • allowWrite covers all mutating file ops on the allowed path (including unlink), so rm succeeds; or
  • There's a documented separate key (e.g. allowDelete) for permitting deletes, and the docs at sandboxing.md / settings.md explain it.

Error Messages/Logs

## Actual

Neither. `allowWrite` silently excludes `unlink` and no alternative key is documented. Users end up with a sandbox where the agent can create and modify files but cannot clean them up.

Steps to Reproduce

Repro

~/.claude/settings.json:

{
  "sandbox": {
    "enabled": true,
    "allowUnsandboxedCommands": false,
    "failIfUnavailable": true,
    "filesystem": {
      "allowWrite": ["/tmp/claude-501", "/Users/me/code/myrepo"],
      "allowRead": ["/tmp/claude-501", "~/.gitconfig", "/Users/me/code/myrepo"],
      "denyWrite": ["/"],
      "denyRead": ["/"]
    }
  }
}

Inside a Claude Code session with cwd /Users/me/code/myrepo:

  • Edit / Write on ./some/file.ts — succeeds
  • Bash touch ./some/newfile.ts — succeeds
  • Bash rm ./some/file.ts — fails: 
    rm: ./some/file.ts: Operation not permitted

Exit code 1; the error comes from the kernel / Seatbelt, not a Claude Code permission prompt.

Claude Model

None

Is this a regression?

I don't know

Last Working Version

No response

Claude Code Version

Claude Code for VSCode 2.1.117

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

No response

extent analysis

TL;DR

The issue can be resolved by either modifying the allowWrite configuration to include delete operations or by adding a separate configuration key to permit deletes.

Guidance

  • Review the Claude Code documentation to see if there's a separate configuration key for permitting deletes, such as allowDelete.
  • If no separate key exists, try modifying the allowWrite configuration to include delete operations by adding unlink to the allowed permissions.
  • Verify the behavior by testing rm commands within the allowed path after making configuration changes.
  • Check the Seatbelt policy to ensure it's not overriding the Claude Code configuration.

Example

No code snippet is provided as the issue is related to configuration and policy settings.

Notes

The issue may be due to a documentation gap or a bug in the Seatbelt policy, and further investigation is needed to determine the root cause.

Recommendation

Apply a workaround by modifying the allowWrite configuration to include delete operations, as the separate configuration key allowDelete is not documented.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#LLM response#prompt template#agent execution#callback error

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING