Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix TOCTOU vulnerability in SSH key generation #85

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
kidchenko wants to merge 1 commit into from
Closed

πŸ›‘οΈ Sentinel: [CRITICAL] Fix TOCTOU vulnerability in SSH key generation #85

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
## 2026-04-10 - [TOCTOU vulnerability in SSH key generation]

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

First line in a file should be a top-level heading 

.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2026-04-10 - [TOCTOU vulner..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

**Vulnerability:** Private SSH keys written to disk using shell redirection (`> "$PRIVATE_KEY_FILE"`) followed by `chmod 600`.

Check failure on line 3 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 126] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Learning:** Shell redirection creates the file according to the system's `umask`. If the `umask` allows, the file might briefly be readable by other users before `chmod 600` executes, causing a Time-of-Check to Time-of-Use (TOCTOU) vulnerability.

Check failure on line 4 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 248] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Prevention:** Wrap file creation steps that handle sensitive data in a subshell using `(umask 077 && command > file)` so that the file is created with secure permissions right from the start.

Check failure on line 5 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:5:81 MD013/line-length Line length [Expected: 80; Actual: 193] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
Comment on lines +1 to +5

@coderabbitai coderabbitai Bot Apr 10, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Fix markdownlint violations (MD041 + MD013) to unblock docs lint.

The new entry currently fails Lint Documentation due to non-H1 first line and overly long lines.

πŸ“ Proposed fix 
+ # Sentinel Journal
+
 ## 2026-04-10 - [TOCTOU vulnerability in SSH key generation]
 
-**Vulnerability:** Private SSH keys written to disk using shell redirection (`> "$PRIVATE_KEY_FILE"`) followed by `chmod 600`.
-**Learning:** Shell redirection creates the file according to the system's `umask`. If the `umask` allows, the file might briefly be readable by other users before `chmod 600` executes, causing a Time-of-Check to Time-of-Use (TOCTOU) vulnerability.
-**Prevention:** Wrap file creation steps that handle sensitive data in a subshell using `(umask 077 && command > file)` so that the file is created with secure permissions right from the start.
+**Vulnerability:** Private SSH keys were written via shell redirection
+(`> "$PRIVATE_KEY_FILE"`) and only then restricted with `chmod 600`.
+
+**Learning:** Redirection creates files using the current `umask`. If it is too
+permissive, the key can be briefly readable before `chmod 600`, creating a
+TOCTOU exposure.
+
+**Prevention:** For sensitive writes, create the file inside a subshell that
+sets a restrictive mask: `(umask 077 && command > file)`.
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## 2026-04-10 - [TOCTOU vulnerability in SSH key generation]
**Vulnerability:** Private SSH keys written to disk using shell redirection (`> "$PRIVATE_KEY_FILE"`) followed by `chmod 600`.
**Learning:** Shell redirection creates the file according to the system's `umask`. If the `umask` allows, the file might briefly be readable by other users before `chmod 600` executes, causing a Time-of-Check to Time-of-Use (TOCTOU) vulnerability.
**Prevention:** Wrap file creation steps that handle sensitive data in a subshell using `(umask 077 && command > file)` so that the file is created with secure permissions right from the start.
# Sentinel Journal
## 2026-04-10 - [TOCTOU vulnerability in SSH key generation]
**Vulnerability:** Private SSH keys were written via shell redirection
(`> "$PRIVATE_KEY_FILE"`) and only then restricted with `chmod 600`.
**Learning:** Redirection creates files using the current `umask`. If it is too
permissive, the key can be briefly readable before `chmod 600`, creating a
TOCTOU exposure.
**Prevention:** For sensitive writes, create the file inside a subshell that
sets a restrictive mask: `(umask 077 && command > file)`.
🧰 Tools
πŸͺ› GitHub Check: Lint Documentation

[failure] 5-5: Line length
.jules/sentinel.md:5:81 MD013/line-length Line length [Expected: 80; Actual: 193] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 248] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 126] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2026-04-10 - [TOCTOU vulner..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 5, Change the leading section heading
"## 2026-04-10 - [TOCTOU vulnerability in SSH key generation]" to an H1 (replace
"##" with "#") so the file starts with an H1, and reflow any overly long
sentences in the entry (for example the "Vulnerability:", "Learning:" and
"Prevention:" lines) to respect the markdownlint MD013 line-length limit (wrap
to ~80 chars or less at sensible word boundaries) while preserving the exact
content and bullet labels; ensure no single long unbroken lines remain so MD041
and MD013 are satisfied.

2 changes: 1 addition & 1 deletion tools/setup-ssh-keys.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ cmd_restore() {
chmod 700 "$SSH_DIR"

# Read private key from 1Password and save locally
op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
(umask 077 && op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE")
chmod 600 "$PRIVATE_KEY_FILE"

# Read public key from 1Password and save locally
Expand Down
Loading