






















@@ -0,0 +1,76 @@
1+---
2+summary: "How OpenClaw handles local file access safely, and why the optional fs-safe Python helper is off by default"
3+read_when:
4+ - Changing file access, archive extraction, workspace storage, or plugin filesystem helpers
5+title: "Secure file operations"
6+---
7+8+OpenClaw uses [`@openclaw/fs-safe`](https://github.com/openclaw/fs-safe) for security-sensitive local file operations: root-bounded reads/writes, atomic replacement, archive extraction, temp workspaces, JSON state, and secret-file handling.
9+10+The goal is a consistent **library guardrail** for trusted OpenClaw code that receives untrusted path names. It is not a sandbox. Host filesystem permissions, OS users, containers, and the agent/tool policy still define the real blast radius.
11+12+## Default: no Python helper
13+14+OpenClaw defaults the fs-safe POSIX Python helper to **off**.
15+16+Why:
17+18+- the gateway should not spawn a persistent Python sidecar unless an operator opted into it;
19+- many installs do not need the extra parent-directory mutation hardening;
20+- disabling Python keeps package/runtime behavior more predictable across desktop, Docker, CI, and bundled app environments.
21+22+OpenClaw only changes the default. If you explicitly set a mode, fs-safe honors it:
23+24+```bash
25+# Default OpenClaw behavior: Node-only fs-safe fallbacks.
26+OPENCLAW_FS_SAFE_PYTHON_MODE=off
27+28+# Opt into the helper when available, falling back if unavailable.
29+OPENCLAW_FS_SAFE_PYTHON_MODE=auto
30+31+# Fail closed if the helper cannot start.
32+OPENCLAW_FS_SAFE_PYTHON_MODE=require
33+34+# Optional explicit interpreter.
35+OPENCLAW_FS_SAFE_PYTHON=/usr/bin/python3
36+```
37+38+The generic fs-safe names also work: `FS_SAFE_PYTHON_MODE` and `FS_SAFE_PYTHON`.
39+40+## What stays protected without Python
41+42+With the helper off, OpenClaw still uses fs-safe's Node paths for:
43+44+- rejecting relative-path escapes such as `..`, absolute paths, and path separators where only names are allowed;
45+- resolving operations through a trusted root handle instead of ad-hoc `path.resolve(...).startsWith(...)` checks;
46+- refusing symlink and hardlink patterns on APIs that require that policy;
47+- opening files with identity checks where the API returns or consumes file contents;
48+- atomic sibling-temp writes for state/config files;
49+- byte limits for reads and archive extraction;
50+- private modes for secrets and state files where the API requires them.
51+52+These protections cover the normal OpenClaw threat model: trusted gateway code handling untrusted model/plugin/channel path input inside a single trusted operator boundary.
53+54+## What Python adds
55+56+On POSIX, fs-safe's optional helper keeps one persistent Python process and uses fd-relative filesystem operations for parent-directory mutations such as rename, remove, mkdir, stat/list, and some write paths.
57+58+That narrows same-UID race windows where another process can swap a parent directory between validation and mutation. It is defense in depth for hosts where untrusted local processes can modify the same directories OpenClaw is operating in.
59+60+If your deployment has that risk and Python is guaranteed to exist, use:
61+62+```bash
63+OPENCLAW_FS_SAFE_PYTHON_MODE=require
64+```
65+66+Use `require` rather than `auto` when the helper is part of your security posture; `auto` intentionally falls back to Node-only behavior if the helper is unavailable.
67+68+## Plugin and core guidance
69+70+- Plugin-facing file access should go through `openclaw/plugin-sdk/*` helpers, not raw `fs`, when a path comes from a message, model output, config, or plugin input.
71+- Core code should use the local fs-safe wrappers under `src/infra/*` so OpenClaw's process policy is applied consistently.
72+- Archive extraction should use the fs-safe archive helpers with explicit size, entry-count, link, and destination limits.
73+- Secrets should use OpenClaw secret helpers or fs-safe secret/private-state helpers; do not hand-roll mode checks around `fs.writeFile`.
74+- If you need hostile local-user isolation, do not rely on fs-safe alone. Run separate gateways under separate OS users/hosts or use sandboxing.
75+76+Related: [Security](/gateway/security), [Sandboxing](/gateway/sandboxing), [Exec approvals](/tools/exec-approvals), [Secrets](/gateway/secrets).
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。