Skip to content

A few nuances in the Claude Code managed-settings file #41

New issue
New issue
Open
Open
A few nuances in the Claude Code managed-settings file#41
@hussam-Tanium

Description

@hussam-Tanium
hussam-Tanium
opened on Mar 13, 2026

Hey, love the project.
I tested some nuances in the Claude Code config file and figured you may benefit if you haven't considered these already. Original credit: https://www.petefreitag.com/blog/claude-code-permissions/

I found Pete's blog to be only partially true, perhaps claude updated something in the last 5 months. I tried only blocking read access to .aws but blocking both read and edit to .azure, along with the other Bash denies you guys have in the settings.json. The result: I couldn't edit existing files in .aws, but I could create new ones AND I COULD DELETE FILES in .aws, whereas I could not create new files or delete them in .azure. Here's a summary of my testing and findings:

Managed Settings I tested:

    "deny": [ 
     "Bash(rm -rf *)",
      "Bash(rm -fr *)",
      … (all copied verbatim)
      "Read(~/.aws/**)",
      "Read(~/.azure/**)",
      "Edit(~/.azure/**)"
       ...
]

Output:
❯ okay now summarize everything very concisely

⏺ Security Testing Summary — managed-settings.json Permission Validation (Full Session)
We tested Read, Write, Edit, and Bash operations against credential-sensitive paths in the managed settings file, iterating through several configuration changes.

Findings:

  1. Edit is the umbrella rule — denying Edit on a path blocks Write (new files), Edit tool operations, and Bash commands on matching paths. No separate Write or Bash path-specific rules are needed.
  2. ~/.aws/** was missing Edit — the only path with only Read denied. This allowed new file writes and plain rm via Bash. Confirmed by successfully writing files and deleting ~/.aws/credentials during testing.
  3. Generic Bash deny rules don't close the gap — Bash(rm -rf *) blocks recursive deletes but plain rm on individual files bypasses it entirely. Path-specific Bash rules are not a substitute for Edit.
  4. managed-settings.json is hot-reloaded — changes take effect immediately without restarting the session. (just a fun fact)

Conclusion: The correct and minimal fix is adding "Edit(~/.aws/**)" to the deny list. The generic Bash rules added are useful hardening but insufficient on their own — Edit(~/.aws/**) is still required to fully protect that directory.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions