From 9732bd62c7b1d01f499f81fe69998c53b74ff7ba Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 9 Apr 2026 05:07:01 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL]?= =?UTF-8?q?=20Fix=20TOCTOU=20vulnerability=20in=20ssh=20key=20restore?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com> --- .jules/sentinel.md | 4 ++++ tools/setup-ssh-keys.sh | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..8df1ef0 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2025-02-20 - TOCTOU Vulnerability in SSH Key Restoration +**Vulnerability:** Time-of-Check to Time-of-Use (TOCTOU) when restoring SSH private keys from 1Password. +**Learning:** Writing sensitive data to a file using default permissions and then using `chmod 600` leaves the file briefly readable by other users on the system between the write and the chmod. +**Prevention:** Use a subshell with `umask 077` (e.g., `(umask 077 && command > file)`) to ensure the file is created with secure permissions (600) from the start. diff --git a/tools/setup-ssh-keys.sh b/tools/setup-ssh-keys.sh index bde52fd..c1e8ec6 100755 --- a/tools/setup-ssh-keys.sh +++ b/tools/setup-ssh-keys.sh @@ -149,15 +149,15 @@ cmd_restore() { say "Restoring SSH key from 1Password..." # Create SSH directory - mkdir -p "$SSH_DIR" + (umask 077 && mkdir -p "$SSH_DIR") chmod 700 "$SSH_DIR" # Read private key from 1Password and save locally - op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE" + (umask 077 && op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE") chmod 600 "$PRIVATE_KEY_FILE" # Read public key from 1Password and save locally - op read "op://$VAULT/$KEY_NAME/public_key" > "$PUBLIC_KEY_FILE" + (umask 022 && op read "op://$VAULT/$KEY_NAME/public_key" > "$PUBLIC_KEY_FILE") chmod 644 "$PUBLIC_KEY_FILE" say "SSH key restored to $SSH_DIR"