How to set cursor CLI permissions on Linux?

Bug Reports
1

Where does the bug appear (feature/product)?

Cursor CLI

Describe the Bug

I install cursor CLI on Linux service. I only need it to excute some code generation. I don’t need it to read system config, other directory…

I read from document, it says I can config cli.json in project config and global config. I set both, but don’t work. It still can read other files and directories.

I guess CLI cannot support set permissions ? Please confirm.

Steps to Reproduce

json config:

{
    "version": 1,
    "editor": { "vimMode": false },
    "permissions": {
      "allow": [
        "Shell(ls)",
        "Shell(pwd)",
        "Read(*.html)",
        "Read(*.css)",
        "Read(*.js)",
        "Read(**/*.html)",
        "Read(**/*.css)",
        "Read(**/*.js)",
        "Write(*.html)",
        "Write(*.css)",
        "Write(*.js)",
        "Write(**/*.html)",
        "Write(**/*.css)",
        "Write(**/*.js)"
      ],
      "deny": [
        "Shell(cat)",
        "Shell(less)",
        "Shell(more)",
        "Shell(head)",
        "Shell(tail)",
        "Shell(grep)",
        "Shell(awk)",
        "Shell(sed)",
        "Shell(find)",
        "Shell(vim)",
        "Shell(nano)",
        "Shell(rm)",
        "Shell(ps)",
        "Shell(top)",
        "Shell(htop)",
        "Shell(netstat)",
        "Shell(ss)",
        "Shell(lsof)",
        "Shell(systemctl)",
        "Shell(service)",
        "Shell(df)",
        "Shell(free)",
        "Shell(ifconfig)",
        "Shell(ip)",
        "Shell(env)",
        "Shell(printenv)",
        "Shell(who)",
        "Shell(w)",
        "Shell(sudo)",
        "Shell(curl)",
        "Shell(wget)",
        "Shell(python)",
        "Shell(python3)",
        "Shell(bash)",
        "Shell(sh)",
        
        "Read(/etc/**)",
        "Read(/var/**)",
        "Read(/root/**)",
        "Read(/home/**)",
        "Read(/proc/**)",
        "Read(/sys/**)",
        "Read(/boot/**)",
        "Read(/opt/**)",
        "Read(/usr/**)",
        "Read(/tmp/**)",
        "Read(/lib/**)",
        "Read(/bin/**)",
        "Read(/sbin/**)",
        
        "Read(../**)",
        "Read(../../**)",
        "Read(../../../**)",
        
        "Read(**/.env*)",
        "Read(**/.git/**)",
        "Read(**/.ssh/**)",
        "Read(**/*.key)",
        "Read(**/*.pem)",
        "Read(**/*.conf)",
        "Read(**/*.config)",
        "Read(**/*.ini)",
        "Read(**/*.log)",
        "Read(**/config/**)",
        "Read(**/credentials*)",
        "Read(**/secrets*)",
        "Read(**/password*)",
        "Read(**/database*)",
        
        "Write(/etc/**)",
        "Write(/var/**)",
        "Write(/root/**)",
        "Write(/home/**)",
        "Write(/proc/**)",
        "Write(/sys/**)",
        "Write(../**)",
        "Write(**/.env*)",
        "Write(**/*.key)",
        "Write(**/*.pem)",
        "Write(**/config/**)"
      ]
    }
  }

Operating System

Linux

Current Cursor Version (Menu → About Cursor → Copy)

version: cursor cli 1.6

Does this stop you from using Cursor

Yes - Cursor is unusable

2

Hey, thanks for the report. Your config looks structurally correct! To understand what’s happening, I need a precise scenario.

Please share a specific test:

  • What command are you running? For example:
    cursor-agent -p "read the /etc/passwd file"
  • What happens? Does it actually read the file, or is the request blocked?
  • Where is the config located?
  • ~/.cursor/cli-config.json (global)
  • <your-project>/.cursor/cli.json (project-specific)

Can you try a simple case to confirm the permissions are being loaded?

  • Run:
    cursor-agent -p "run the command: cat /etc/passwd"
  • This should be blocked by your Shell(cat) deny rule.

Important:

  • Docs say deny rules take precedence over allow rules
  • The agent might try different methods if one tool is blocked

Share the test results and I’ll help determine if it’s a bug or a config issue.