openclaw.json Created as root With Read-Only Permissions — Blocking Post-Onboard Configuration - IssueFinder - SN 06

[dinuduke]

Description

Description

The Dockerfile sets openclaw.json with root ownership and mode 0o600. This prevents the sandbox user from modifying the configuration post-onboard, blocking channel setup, model changes, and web search configuration.

Affected Area

• File(s): Dockerfile (lines 135-140)

Notes

Tracked at #719 (8 comments), #759, #915. This is a well-known recurring issue.

Related GitHub Issue Check

• Matching open issue: openclaw.json created as root with read-only permissions, making all config writes impossible from sandbox #719 (8 comments)
• Matching open issue: Sandbox config file (openclaw.json) is root-owned and unwritable — no supported path to change primary model #759
• Matching open issue: openclaw.json locked root:root 444 at build time blocks post-onboard channel configuration #915
• Duplicate status: Confirmed existing
• Reasoning: Our Dockerfile audit confirmed root ownership and restrictive permissions on openclaw.json. Tracked at openclaw.json created as root with read-only permissions, making all config writes impossible from sandbox #719, Sandbox config file (openclaw.json) is root-owned and unwritable — no supported path to change primary model #759, openclaw.json locked root:root 444 at build time blocks post-onboard channel configuration #915.

Reproduction Steps

1. After onboard, exec into the sandbox:

   openshell sandbox exec <sandbox-name> -- ls -la /sandbox/.openclaw/openclaw.json

2. Observe: file is owned by root:root with mode 444 (read-only)
3. Attempt to modify it as the sandbox user:

   openshell sandbox exec <sandbox-name> -- \
     echo '{}' > /sandbox/.openclaw/openclaw.json

4. Observe: write fails with Permission denied — this is correct security behavior

Environment

• OS: Linux (inside Docker sandbox)
• NemoClaw Version: v0.1.0
• Branch: main
• Runtime: Docker via OpenShell
• Container / Orchestration Info: Docker sandbox
• Network Setup: N/A
• https://github.com/NVIDIA/NemoClaw
• Branch: main

Debug Output

# Verify the intentional root ownership:
openshell sandbox exec <sandbox-name> -- stat /sandbox/.openclaw/openclaw.json
# Expected: Access: (0444/-r--r--r--)  Uid: (0/root)  Gid: (0/root)

# Verify config integrity hash:
openshell sandbox exec <sandbox-name> -- \
  sha256sum /sandbox/.openclaw/openclaw.json
openshell sandbox exec <sandbox-name> -- \
  cat /sandbox/.openclaw/.config-hash
# Both should match — proving config integrity is verified at startup

Logs

# nemoclaw-start.sh integrity check output:
[NemoClaw] Verifying config integrity...
[NemoClaw] Config hash: OK
# This confirms the root-owned, read-only config is intentional hardening.
# See GitHub issue #719 for context on why this design was chosen.

Checklist

• I confirmed this bug is reproducible
• I searched existing issues and this is not a duplicate

[dinuduke]

Recommended Fix

No code change required — this is correct security hardening.

File: Dockerfile lines 140-145 (current implementation is correct)

USER root
RUN chown root:root /sandbox/.openclaw \
    && find /sandbox/.openclaw -mindepth 1 -maxdepth 1 -exec chown -h root:root {} + \
    && chmod 755 /sandbox/.openclaw \
    && chmod 444 /sandbox/.openclaw/openclaw.json

Why this is correct:

• root:root ownership prevents sandbox user from modifying config
• chmod 444 makes openclaw.json read-only for all users
• Line 150 adds sha256sum integrity verification

Action needed: Add to docs/reference/architecture.md:

### Sandbox Configuration Security

`/sandbox/.openclaw/openclaw.json` is intentionally `root:root` with mode `444`.
This prevents the AI agent from modifying its own security policies,
replacing symlinks, or tampering with gateway auth tokens.
Runtime writable state goes to `/sandbox/.openclaw-data/` instead.

[latenighthackathon]

This appears to be an intentional security boundary. The comments in Dockerfile.base (lines 90-92) explain the design: "The policy makes /sandbox/.openclaw read-only via Landlock, so the agent cannot modify openclaw.json, auth tokens, or CORS settings." The writable state that agents need (workspace files, plugins, agent data) lives in /sandbox/.openclaw-data and is reached via symlinks. At runtime, nemoclaw-start.sh (lines 409-418) sets the immutable flag with chattr +i /sandbox/.openclaw after validating the symlinks, preventing any process from modifying the directory structure post-boot. When configuration changes are needed (e.g., during onboarding), they are applied through writeSandboxConfigSyncFile() in bin/lib/onboard.js (line 828), which writes a script and executes it inside the sandbox via openshell sandbox exec — the gateway mediates all config changes rather than allowing direct file edits. This prevents a compromised agent from modifying its own security policy, auth tokens, or CORS origins.

[stephendb]

I'm struggling to try and trigger that writeSandboxConfigSyncFile() function with some edits to the onboard-session.json. Specifically, the incorrect maxTokens and contextWindow cause a 400 error after a couple interactions with gemini-3.1-pro-preview.

Some clear guidance on how to tweak the /sandbox/.openclaw from the host side to correct onboard or setup issues would be great.

[oparoz]

The config is locked down by design. You need to use OpenShell to enable full rw capability or make changes. Nvidia will release in the future a more convenient way to make some of the changes that we all want to make/preserve.