Issue Station
Sign In
Tools hereToolbox

codex - 💡(How to fix) Fix Sandbox bugged, the agent is reading my whole disk [3 comments, 3 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openai/codex#23459Fetched 2026-05-20 03:49:41
View on GitHub
Comments
3
Participants
3
Timeline
9
Reactions
0
Author
alkampfergitalkampfergit
Participants
alkampfergitalkampfergitgithub-actions[bot]github-actions[bot]jshaofa-uijshaofa-ui
Timeline (top)
labeled ×6commented ×3

Error Message

Since yesterday, I noticed that codex-cli was not asking me anymore permission before writing file on my folder. THis morning I realized that It is reading my whole disk (I'm working on a library, told that I have an error in the project using it so it searched for the project using that in my develop directory). It is one hour that I'm trying to pinpoint the problem but it is happily reading my whole filesystem. Read the temp, my profile file everything. The only information I got is that in my config.toml I have

Root Cause

I asked it where the --sandbox workspace-write comes from because I launch without parameters, it was unable to telling me where that settings comes from. The only thing that it told me is that, since the sandbox is workspace-write it means that it can read my whole disk.

Code Example

[windows]
sandbox = "unelevated"

---

[windows] sandbox = "unelevated" appears to mean: run commands as a non-admin/restricted Windows process. It does not mean “only allow reads inside the workspace.

  So practically, yes: I can read anything that the Windows user alkam can read, unless Codex adds a stricter read filter. It is not literally “the whole disk” if NTFS denies access, but it includes
  normal readable folders like C:\temp, sibling repos, your user profile, etc.

  The setting is here:

  # C:\Users\alkam\.codex\config.toml

  [windows]
  sandbox = "unelevated"

  And the agent mode is selected by CLI/app as:

  --sandbox workspace-write
RAW_BUFFERClick to expand / collapse

What version of the Codex App are you using (From “About Codex” dialog)?

codex-cli 0.131.0

What subscription do you have?

plus

What platform is your computer?

Windows

What issue are you seeing?

Since yesterday, I noticed that codex-cli was not asking me anymore permission before writing file on my folder. THis morning I realized that It is reading my whole disk (I'm working on a library, told that I have an error in the project using it so it searched for the project using that in my develop directory). It is one hour that I'm trying to pinpoint the problem but it is happily reading my whole filesystem. Read the temp, my profile file everything. The only information I got is that in my config.toml I have

[windows]
sandbox = "unelevated"

And it told me that that settings give it the ability to read my whole disk. This is its analysis

[windows] sandbox = "unelevated" appears to mean: run commands as a non-admin/restricted Windows process. It does not mean “only allow reads inside the workspace.”

  So practically, yes: I can read anything that the Windows user alkam can read, unless Codex adds a stricter read filter. It is not literally “the whole disk” if NTFS denies access, but it includes
  normal readable folders like C:\temp, sibling repos, your user profile, etc.

  The setting is here:

  # C:\Users\alkam\.codex\config.toml

  [windows]
  sandbox = "unelevated"

  And the agent mode is selected by CLI/app as:

  --sandbox workspace-write

I asked it where the --sandbox workspace-write comes from because I launch without parameters, it was unable to telling me where that settings comes from. The only thing that it told me is that, since the sandbox is workspace-write it means that it can read my whole disk.

<img width="1312" height="193" alt="Image" src="https://github.com/user-attachments/assets/24c6491a-61e1-4fc1-bb3a-3c3a408d288e" />

I tried every prompt, it is telling me that it can read (and it read) my whole filesystem

<img width="1092" height="495" alt="Image" src="https://github.com/user-attachments/assets/08ee4705-25e6-4551-bda8-6bda8dcac73d" /> <img width="1036" height="395" alt="Image" src="https://github.com/user-attachments/assets/0643a745-6994-4812-8af0-a49c474609bd" />

I immediately uninstalled all application and rotated the very few keys I have in this system. I was astonished that your product started reading my whole disk without any problem and it is unable to tell me why.

What steps can reproduce the bug?

I simply launch

codex

ask if it can read my whole filesystem and it happily read it, telling me that the sandbox permitted it.

What is the expected behavior?

No response

Additional information

Not reading my whole freaking disk.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#batch processing#GPU compatibility#latency issue#model loading#dependency error

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

codex - 💡(How to fix) Fix Sandbox bugged, the agent is reading my whole disk [3 comments, 3 participants]