fix(sandbox): ensure read_write directories are writable by sandbox user#7
Merged
fix(sandbox): ensure read_write directories are writable by sandbox user#7
Conversation
Container images may ship /tmp as root:root 0700. The supervisor's prepare_filesystem only chowned newly-created directories, leaving existing ones inaccessible to the unprivileged sandbox user. When a read_write directory exists but is not writable by the target user (neither world-writable nor owned by the user with write bit), set its mode to 1777 (sticky world-writable). This fixes Claude Code failing with EACCES when creating its task directory under /tmp. Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
The st_uid() method is from std::os::linux::fs::MetadataExt while uid() is from std::os::unix::fs::MetadataExt which is portable across all Unix platforms. Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ghcr.io/nvidia/openshell-community/sandboxes/base:latest) ship/tmpasroot:root 0700prepare_filesystemonly chowned newly created directories, leaving existing ones inaccessible to the unprivileged sandbox userEACCES: permission denied, mkdir '/tmp/claude-998/...'when trying to create its task directoryFix
When a
read_writedirectory exists but is not writable by the target user (neither world-writable nor owned by the user with write bit), set its mode to1777(sticky world-writable). This runs before the child process is forked, so there is no TOCTOU risk.Test plan
prepare_read_write_path_fixes_inaccessible_tmp/tmpinside sandboxprepare_read_write_path_creates_missing_directory,prepare_read_write_path_preserves_existing_directory,prepare_read_write_path_rejects_symlink) still passContext
Without this fix, Claude Code's Bash tool cannot execute inside sandboxes using the community base image, which blocks network access testing (the proxy allows network from Claude Code's process tree via ancestor binary matching).