Security concern: CodexSandboxOffline/Online assigned to entire user profile tree on Windows 11 #12343
Description
What version of Codex CLI is running?
0.101.0
What subscription do you have?
Bring Your Own Key
Which model were you using?
gpt-5.2-codex
What platform is your computer?
Windows 11 Pro
What terminal emulator and version are you using (if applicable)?
PowerShell
What issue are you seeing?
On Windows 11, Codex’s experimental sandbox creates two local users (CodexSandboxOffline and CodexSandboxOnline) that belong to the CodexSandboxUsers group.
These users are granted permissions on the project folders (and subfolders) where Codex-CLI is executed.
While this is understandable (the goal is to add an extra security layer when running commands), what I find unacceptable is that these users are also granted access to C:\Users\<USER> and—indiscriminately—to ALL subfolders under that directory. Aside from the fact that this approach dirties the environment (after uninstalling codex-cli and removing the Windows users, stale/unreferenced user SIDs can still remain on ACLs), it looks like a potential attack surface in the event of malicious commands executed via codex-cli.
The same behavior can be observed when using the IDE extension (which effectively downloads precompiled Windows binaries, but ultimately codex-windows-sandbox.exe mirrors the same behavior).
Other than using WSL, is there any way to avoid this pollution? And why isn’t this explicitly stated in the documentation? (It wouldn’t fix the issue, but at least users would be aware of it.)
What steps can reproduce the bug?
Install codex-cli on Windows and choose to setup the default sandbox when asked.
What is the expected behavior?
No response
Additional information
No response