Skip to content

Environment variables, authentication improvements, and critical security fix#7

Merged
lroolle merged 3 commits intomainfrom
fix/env-vars-and-auth-improvements
Jun 22, 2025
Merged

Environment variables, authentication improvements, and critical security fix#7
lroolle merged 3 commits intomainfrom
fix/env-vars-and-auth-improvements

Conversation

@lroolle
Copy link
Copy Markdown
Member

@lroolle lroolle commented Jun 22, 2025
edited
Loading

Summary

Major enhancements to Claude Code YOLO with critical security fixes:

  • SECURITY FIX: Stop modifying permissions on user-mounted volumes
  • Consolidate auth to --auth-with METHOD pattern (claude, api-key, bedrock, vertex)
  • Add flexible volume mounting via -v flag in claude-yolo
  • GitHub CLI authentication support via GH_TOKEN environment variable
  • Enhanced environment variable passthrough and timezone detection
  • Better error handling and container management

Critical Security Fix

Problem: The script was running chmod -R 755 on ALL user-mounted directories, including .ssh, corrupting SSH private key permissions and breaking authentication.

Solution:

  • Removed dangerous permission modifications on user volumes
  • Users now control their own mount permissions
  • Only essential Claude directories get permission changes
  • Prevents SSH key corruption and other security issues

Other Improvements

  • Authentication: New --auth-with parameter replaces scattered auth flags
  • Volume mounting: Added -v support to claude-yolo for custom mounts
  • GitHub CLI: Added GH_TOKEN environment variable passthrough for container auth
  • Environment: Auto-detect timezone, better proxy translation
  • Container tools: Enhanced inspection shortcuts (--inspect, --ps)
  • Documentation: Comprehensive dev logs and usage examples

Breaking Changes

  • Users must set appropriate permissions on mounted volumes themselves
  • No automatic permission changes on user-provided mounts

Test plan

  • Test all auth methods: claude, api-key, bedrock, vertex
  • Verify volume mounting with -v flag preserves permissions
  • Test GitHub CLI auth with GH_TOKEN environment variable
  • Confirm SSH keys remain secure when mounted
  • Check environment variable passthrough
  • Test container shortcuts (--inspect, --ps)

lroolle and others added 3 commits June 22, 2025 05:28
@lroolle
fix: environment variable passthrough and authentication improvements
30a906d 
- Fix environment variables not being passed through gosu to non-root user
- Add comprehensive env var passthrough (proxy, AWS, Anthropic, Claude-specific)
- Fix command substitution error in claude.sh error message
- Add timezone auto-detection for macOS/Linux systems
- Add --auth-with pattern for cleaner authentication method selection
- Add -v flag support for flexible volume mounting
- Remove ineffective XDG_CONFIG_HOME export
- Update documentation for OAuth to API key switching via /login

Fixes #6
@lroolle @claude
fix: revert XDG config mounting and add GitHub CLI auth support
2657a25 
- Revert broad ~/.config mounting that caused issues
- Restore specific ~/.config/gcloud mounting for Vertex AI
- Add GH_TOKEN and GITHUB_TOKEN environment variable passthrough
- Document GitHub CLI authentication in README
- Research keyring vs container auth challenges in dev logs

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@lroolle @claude
fix: critical security - stop modifying permissions on user-mounted v…
8dada53 
…olumes

- Remove dangerous chmod operations on user-mounted directories
- Eliminate hardcoded list (.docker, .terraform.d, .kube, .gitconfig, .npmrc)
- Switch to permission-preserving symlink-only approach
- Users control their own mount permissions for security
- Prevents SSH key corruption and other permission issues

BREAKING: Users must set appropriate permissions on mounted volumes themselves

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
cursor[bot]
cursor Bot reviewed Jun 22, 2025
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Argument Parsing Infinite Loop

The parse_args() function is missing shift statements for the --inspect and --ps options, causing an infinite loop in the argument parsing. Additionally, the --ps option calls list_containers() but fails to exit, leading to the script incorrectly proceeding to exec "$CLAUDE_SH" --yolo after listing containers.

claude-yolo#L83-L89

https://github.com/lroolle/claude-code-yolo/blob/8dada53c831ec6992ae7e2cdea1e67a81bee37d0/claude-yolo#L83-L89

Fix in Cursor

Bug: Script Argument Handling Inconsistency

The main script's case statement duplicates argument handling already present in the parse_args function, leading to inconsistent behavior:

  • --inspect and --ps are handled directly, causing other arguments (e.g., -v) to be silently ignored when combined.
  • --help is processed twice.

claude-yolo#L122-L137

https://github.com/lroolle/claude-code-yolo/blob/8dada53c831ec6992ae7e2cdea1e67a81bee37d0/claude-yolo#L122-L137

Fix in Cursor

BugBot free trial expires on July 22, 2025
You have used $0.00 of your $10.00 spend limit so far. Manage your spend limit in the Cursor dashboard.

Was this report helpful? Give feedback by reacting with 👍 or 👎

@lroolle lroolle merged commit 37b7ebf into main Jun 22, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@cursor cursor[bot] cursor[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lroolle