opencode icon indicating copy to clipboard operation
opencode copied to clipboard
Published 2 days ago verified publisher icon anomalyco

[Security Bug] Subagent permissions not enforced - configured restrictions ignored

Open randomm opened this issue 1 week ago • 4 comments

Description

Subagents spawned via the task tool completely ignore agent permission configurations in > v1.0.200. Regardless of what restrictions are defined in opencode.json, subagents have unrestricted access to all tools.

Example

Agent configured with restricted bash access:

"permission": {
  "bash": {
    "git*": "allow",
    "*": "deny"
  }
}

Expected: Subagent can only run git commands Actual: Subagent can run ANY bash command - restrictions ignored entirely

Root Cause

  1. SessionPrompt.prompt() tools parameter replaces session permissions instead of merging
  2. ToolRegistry.tools() doesn't filter tools by agent permission rules
  3. Subagents inherit no permission restrictions from parent agent config

Impact

Security - All agent permission configurations are effectively useless. Any subagent has full unrestricted access.

Fix

PR #7473 addresses this by:

  • Removing tools parameter override in task.ts
  • Adding permission filtering to ToolRegistry
  • Ensuring proper permission merge order

Related

Related to #6527, #5894, #3808

randomm avatar Jan 09 '26 12:01 randomm

This issue might be a duplicate of or closely related to existing issues. Please check:

  • #6527: [Security Issue/Bug] Plan mode restrictions bypassed when spawning sub-agents - Same root cause where subagents inherit no permission restrictions from parent agent config
  • #3808: Task should inherit current agent permissions/tools for MCP - Directly addresses that tasks/subagents should use same agent with same permissions
  • #5894: [BUG] Plugin hooks (tool.execute.before) don't intercept subagent tool calls - security policy bypass - Related security issue where plugin hooks don't apply to subagent tool calls

Feel free to ignore if your specific case requires a separate track.

github-actions[bot] avatar Jan 09 '26 12:01 github-actions[bot]

So just commenting still briefly: I have been stuck on 1.0.200 with my rather convoluted agent > subagent setup that relies on permissions working. Sometimes subagents go off rails if permissions do not work.

Thus, today opencode/claude/me submitted the PR. Hopefully it is helpful!!

randomm avatar Jan 09 '26 12:01 randomm

@randomm - can you try moving "*": "deny" so its the first directive. I was having the same issue and that seemed to fix it for me.

evanreichard avatar Jan 10 '26 18:01 evanreichard

The subagents got a free for all regardless. The linked PR fixes this but having the deny as the first line is still necessary

randomm avatar Jan 10 '26 19:01 randomm