The filesystem MCP server gives agents file access. How does it stop them from reading everything on disk?
The filesystem server restricts access via a directory allowlist on the command line; every path is resolved and checked against those roots, and the MCP protocol itself provides no isolation.
Imagine giving a helper access to a few specific drawers in a filing cabinet, but nothing else. When you start the filesystem MCP server, you hand it a list of folders it is allowed to touch. The server can read files, write files, list folders, and search, but only inside those approved folders. If the helper asks for something from a drawer you did not approve, the server says no. The important part is that only the server enforces this rule. The MCP protocol itself does not know anything about files or folders. And the server runs as you, using your permissions. If you accidentally said 'every drawer in the building is fine,' the helper could go anywhere you could go. So you keep the list narrow.
Detailed answer & concept explanation~5 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
3 min: describe the directory allowlist mechanism, walk the path resolution and check, list the headline tools, explain why the protocol itself provides no isolation, name the OS user as the real trust boundary, and close with the container hardening pattern.
Real products, models, and research that use this idea.
- Claude Desktop users scope a filesystem server entry to `~/Documents/notes` so the agent can read and edit notes without touching anything else on disk.
- Cursor users add a filesystem server scoped to a single project directory in `.cursor/mcp.json`, giving the agent file access beyond the editor's built-in tools.
- Hardened deployments run the server in a Docker container with `--read-only` rootfs and a single bind-mounted writable directory, so even a server bug cannot escape the bound volume.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow does the filesystem server prevent symlink escapes?
QWhy is the directory allowlist on the command line instead of in the MCP initialize message?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Assuming the MCP protocol provides built-in sandboxing. It does not. The filesystem server's own path check plus the directories you allow on launch are the entire boundary.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.