Skip to content

πŸ›‘οΈ Sentinel: [HIGH] Fix SSH private key race condition #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kidchenko wants to merge 1 commit into
base: main
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [HIGH] Fix SSH private key race condition #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2025-01-31 - Secure File Creation with 1Password CLI

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

First line in a file should be a top-level heading 

.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2025-01-31 - Secure File Cr..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Headings should be surrounded by blank lines 

.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2025-01-31 - Secure File Creation with 1Password CLI"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md
**Vulnerability:** Race condition in `tools/setup-ssh-keys.sh` where private keys were written to disk with default permissions before being restricted, exposing them to other users on the system.

Check failure on line 2 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 196] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Learning:** Shell redirection `>` creates files with default umask (often 022/644) before `chmod` can run.

Check failure on line 3 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 108] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Prevention:** Use `(umask 077; command > file)` subshell pattern to ensure sensitive files are created with 0600 permissions atomically.

Check failure on line 4 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 138] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
Comment on lines +1 to +4
Copy link

@coderabbitai coderabbitai bot Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟑 Minor

Fix markdownlint failures (heading level, blank line, line length).

The lint job flags MD041/MD022/MD013 here. Consider updating the heading level, add a blank line after the heading, and wrap long lines to ≀80 chars.

🧹 Suggested formatting fix 
-## 2025-01-31 - Secure File Creation with 1Password CLI
-**Vulnerability:** Race condition in `tools/setup-ssh-keys.sh` where private keys were written to disk with default permissions before being restricted, exposing them to other users on the system.
-**Learning:** Shell redirection `>` creates files with default umask (often 022/644) before `chmod` can run.
-**Prevention:** Use `(umask 077; command > file)` subshell pattern to ensure sensitive files are created with 0600 permissions atomically.
+# 2025-01-31 - Secure File Creation with 1Password CLI
+
+**Vulnerability:** Race condition in `tools/setup-ssh-keys.sh` where private keys
+were written to disk with default permissions before being restricted, exposing
+them to other users on the system.
+**Learning:** Shell redirection `>` creates files with default umask (often
+022/644) before `chmod` can run.
+**Prevention:** Use `(umask 077; command > file)` subshell pattern to ensure
+sensitive files are created with 0600 permissions atomically.
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## 2025-01-31 - Secure File Creation with 1Password CLI
**Vulnerability:** Race condition in `tools/setup-ssh-keys.sh` where private keys were written to disk with default permissions before being restricted, exposing them to other users on the system.
**Learning:** Shell redirection `>` creates files with default umask (often 022/644) before `chmod` can run.
**Prevention:** Use `(umask 077; command > file)` subshell pattern to ensure sensitive files are created with 0600 permissions atomically.
# 2025-01-31 - Secure File Creation with 1Password CLI
**Vulnerability:** Race condition in `tools/setup-ssh-keys.sh` where private keys
were written to disk with default permissions before being restricted, exposing
them to other users on the system.
**Learning:** Shell redirection `>` creates files with default umask (often
022/644) before `chmod` can run.
**Prevention:** Use `(umask 077; command > file)` subshell pattern to ensure
sensitive files are created with 0600 permissions atomically.
🧰 Tools
πŸͺ› GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 138] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 108] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 196] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2025-01-31 - Secure File Cr..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2025-01-31 - Secure File Creation with 1Password CLI"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

πŸ€– Prompt for AI Agents 
In @.jules/sentinel.md around lines 1 - 4, Update the markdown to satisfy
MD041/MD022/MD013 by lowering the heading level for "2025-01-31 - Secure File
Creation with 1Password CLI" (e.g., use ### or ####), add a blank line
immediately after that heading, and reflow any long sentences (such as the
Vulnerability, Learning, and Prevention lines mentioning
`tools/setup-ssh-keys.sh`, `umask 077`, and the subshell pattern) so no line
exceeds ~80 characters; keep the same wording and symbols (the heading text,
`tools/setup-ssh-keys.sh`, `umask 077`, and the subshell pattern) while breaking
lines at logical points to satisfy the linter.

4 changes: 3 additions & 1 deletion tools/setup-ssh-keys.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,9 @@ cmd_restore() {
chmod 700 "$SSH_DIR"

# Read private key from 1Password and save locally
op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
# Use umask 077 to ensure the file is created with 0600 permissions
(umask 077; op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE")
# chmod is redundant if umask worked, but good for clarity/double-check
chmod 600 "$PRIVATE_KEY_FILE"

# Read public key from 1Password and save locally
Expand Down
Loading