[Bug]: Sandbox file-tool edits rewrite workspace files to 0600, causing EACCES on host-side file tools

[patosullivan]

Bug type

Regression (worked before, now fails)

Summary

Sandbox file-tool edits rewrite host-mounted workspace files with mode 060 (and ownership follows the sandbox writer UID), causing normal OpenClaw file tools to fail with EACES.

Steps to reproduce

1. Run OpenClaw with Docker sandbox enabled and a writable mounted workspace.
2. Configure the sandbox user, then recreate/remove the sandbox container so the setting actually applies.
3. From inside the sandbox, create a file in /workspace, for example:

   printf 'hello\n' > /workspace/permtest.txt
   stat -c '%u %g %a %n' /workspace/permtest.txt

4. Use the OpenClaw edit tool on that same file.
5. Check file ownership/mode again with stat.
6. Try reading the file via the normal OpenClaw read tool.

Expected behavior

Editing a workspace file from the sandbox should preserve sane accessibility for the normal OpenClaw file tools. At minimum, the file should remain readable/writable by the workspace owner and should not be rewritten to restrictive mode 060 unless it already had that mode.

Actual behavior

After a successful edit, the file mode collapses to 060, and ownership follows the active sandbox writer UID.

Observed in a uid-mapped sandbox:

id
# uid=100 gid=100 groups=100

printf 'restart-test\n' > /workspace/restart-permtest.txt
stat -c '%u %g %a %n' /workspace/restart-permtest.txt
# 100 644 /workspace/restart-permtest.txt
``

After OpenClaw `edit`:
```bash
stat -c '%u %g %a %n' /workspace/restart-permtest.txt
# 100 600 /workspace/restart-permtest.txt
``

Observed in a root sandbox:
```bash
id
# uid=0(root) gid=0(root) groups=0(root)

printf 'post-recreate\n' > /workspace/postrecreate-permtest.txt
stat -c '%u %g %a %n' /workspace/postrecreate-permtest.txt
# 0 644 /workspace/postrecreate-permtest.txt
``

After OpenClaw `edit`:
```bash
stat -c '%u %g %a %n' /workspace/postrecreate-permtest.txt
# 0 600 /workspace/postrecreate-permtest.txt
``

Once a file is in that state, normal OpenClaw file tools fail on the host-side bridge path:
```text
EACES: permission denied, open '/home/patrick/.openclaw/workspace/root600-test.txt'
EACES: permission denied, open '/home/patrick/.openclaw/workspace/TOOLS.md'
``

### OpenClaw version

2026.3.8

### Operating system

Fedora 42

### Install method

npm global

### Model

openai-codex/gpt-5.4

### Provider / routing chain

openclaw -> openai-codex -> gpt-5.4

### Config file / key location

~/.openclaw/openclaw.json

### Additional provider/model setup details

This does not appear model-specific. The bug reproduces in the sandbox/file-tool write path regardless of model output. Relevant context is the Docker sandbox configuration and mounted workspace behavior.

### Logs, screenshots, and evidence

```shell
# uid-mapped sandbox case
id
uid=100 gid=100 groups=100

printf 'restart-test\n' > /workspace/restart-permtest.txt
stat -c '%u %g %a %n' /workspace/restart-permtest.txt
100 100 644 /workspace/restart-permtest.txt

# after edit tool
stat -c '%u %g %a %n' /workspace/restart-permtest.txt
100 100 600 /workspace/restart-permtest.txt

# root sandbox case
id
uid=0(root) gid=0(root) groups=0(root)

printf 'post-recreate\n' > /workspace/postrecreate-permtest.txt
stat -c '%u %g %a %n' /workspace/postrecreate-permtest.txt
0 0 644 /workspace/postrecreate-permtest.txt

# after edit tool
stat -c '%u %g %a %n' /workspace/postrecreate-permtest.txt
0 0 600 /workspace/postrecreate-permtest.txt

# host-side file tool failures
EACES: permission denied, open '/home/patrick/.openclaw/workspace/root600-test.txt'
EACES: permission denied, open '/home/patrick/.openclaw/workspace/TOOLS.md'
``

Impact and severity

Affected: anyone using sandboxed file tools against a host-mounted writable workspace
Severity: High
Frequency: 100% reproducible in local testing
Consequence: successful edits can render workspace files unreadable to normal OpenClaw file tools; files may become root:root 060 in root sandboxes or 100:100 060 in uid-mapped sandboxes, breaking subsequent read/edit workflows

Additional information

This appears distinct from, but related to, #20979.

• [Bug] Default sandbox config breaks file tools for non-root gateway users (post-#4026) #20979 is about who can write/access files when sandbox/container UID does not match the host workspace owner.
• This report is about what ownership/mode the replacement file gets after a successful write.

The evidence suggests the sandbox/file-tool write path is performing an atomic replace using a newly created temp file whose mode ends up as 060. Ownership then follows the writer UID:

• root sandbox -> root:root 060
• uid-mapped sandbox -> 100:100 060

So even when write access itself works, the resulting file metadata is still wrong.

Temporary workaround: manually chown/chmod affected files after edits. Last known good version is unknown; first clearly observed during testing on 2026.3.8.

[patosullivan]

Part of the initial confusion was stale Docker container state. After fully removing/recreating containers with sandbox.docker.user=1000:1000, the severe root-owned lockout no longer reproduces in the same way. However, the narrower issue still reproduces consistently: file-tool edits change file mode from 0644 to 0600.

[katoue]

Sandbox file permission regression. Files edited within sandbox get rewritten with mode 0600 instead of preserving original mode.

Root cause:
The atomic replace logic creates a temp file with restrictive default mode (0600), then atomically replaces the original. The new file inherits sandbox writer UID + restrictive mode.

Fix approach:

1. Before atomic replace, capture original file mode: os.fstat(originalFd).mode
2. After creating temp file, apply original mode: os.fchmod(tempFd, originalMode)
3. Then safely atomically replace

Alternative:
Use file copy + preserve metadata instead of atomic replace:

• Copy temp content to original file path
• Preserve original mode/ownership with os.chown() + os.chmod()
• Remove temp file

Second approach is safer if atomic replacement isn't critical.

[Ryce]

Permission corruption from sandbox writes is a sneaky data-loss vector — the files still exist but become inaccessible to the agent, which is functionally the same as deletion from the agent's perspective.

Two layers of protection here:

1. Pre-sandbox workspace snapshot: Before enabling or reconfiguring a sandbox, snapshot the workspace externally. If permission corruption hits, restore the snapshot rather than trying to chmod your way through a broken tree.

2. External encrypted backup outside the sandbox: The sandbox can corrupt ownership and permissions on anything it mounts, but it can't touch an external backup stored in Cloudflare R2 or similar. When workspace files become inaccessible due to permission drift, restore last known good snapshot beats debug UID/GID mismatch while the agent is broken.

The pattern is the same across all these sandbox regression issues: the agent trusts its tools, the tools report success, and the damage is discovered later when it's too late to recover from internal state. External backup is the only protection that survives the agent's own blind spots.

[Ryce]

Permission corruption from sandbox writes is a subtle data-loss vector — the files are still there but the running agent cannot read or modify them. From the agent perspective, its own workspace just vanished.

This gets worse when it hits memory files or config: the agent loses continuity, cannot update its own state, and may start writing to the wrong locations trying to recover. If SOUL.md or AGENTS.md gets locked behind bad permissions, the agent effectively has amnesia.

An external backup gives you a clean recovery path: restore the last snapshot where permissions were correct, fix the sandbox mount configuration, and resume. Without it, you are manually chown/chmod-ing files and hoping you did not miss any.

I maintain Keep My Claw (install: clawhub install keepmyclaw) — scheduled encrypted workspace backups to Cloudflare R2 that survive permission corruption, sandbox bugs, and host/container UID mismatches.