From 3a846d24274a1d0f0b4bb68ee8571729acada02d Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Wed, 15 Apr 2026 05:12:26 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL]?=
 =?UTF-8?q?=20Fix=20TOCTOU=20vulnerability=20in=20SSH=20key=20creation?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Wrapped the `op read` command that writes the private SSH key in `tools/setup-ssh-keys.sh` within a subshell setting `umask 077`. This prevents the file from briefly existing with world-readable permissions before `chmod 600` is applied. Recorded this security learning in `.jules/sentinel.md`.

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 .jules/sentinel.md      | 15 +++++++++++++++
 tools/setup-ssh-keys.sh |  2 +-
 2 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..ac1598d
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,15 @@
+# Sentinel Journal
+
+## 2026-04-15 - Prevent TOCTOU in SSH Key Restoration
+
+**Vulnerability:** A Time-of-Check to Time-of-Use (TOCTOU) vulnerability where an
+SSH private key is briefly world-readable upon creation before `chmod 600` is
+applied.
+
+**Learning:** Redirecting output to a file creates the file with default
+permissions (often `644`), which exposes sensitive data for a fraction of a
+second.
+
+**Prevention:** Wrap commands that create sensitive files in a subshell using
+`umask 077` to ensure the file is created with secure permissions (`600`)
+natively.
diff --git a/tools/setup-ssh-keys.sh b/tools/setup-ssh-keys.sh
index bde52fd..6ecd8db 100755
--- a/tools/setup-ssh-keys.sh
+++ b/tools/setup-ssh-keys.sh
@@ -153,7 +153,7 @@ cmd_restore() {
     chmod 700 "$SSH_DIR"
 
     # Read private key from 1Password and save locally
-    op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
+    (umask 077 && op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE")
     chmod 600 "$PRIVATE_KEY_FILE"
 
     # Read public key from 1Password and save locally