Skip to content

🛡️ Sentinel: Fix SSH key creation race condition #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kidchenko wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🛡️ Sentinel: Fix SSH key creation race condition #18

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2025-02-02 - Secure File Creation with Shell Redirection

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

First line in a file should be a top-level heading 

.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2025-02-02 - Secure File Cr..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Headings should be surrounded by blank lines 

.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2025-02-02 - Secure File Creation with Shell Redirection"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md
**Vulnerability:** SSH private keys restored from 1Password via `op read > file` were created with default umask permissions before `chmod` was applied, creating a race condition.

Check failure on line 2 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 179] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Learning:** Shell redirection creates files before `chmod` can act. Even in "personal" dotfiles, this can expose secrets on multi-user systems (e.g., shared servers).

Check failure on line 3 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 168] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Prevention:** Use `(umask 077 && command > file)` to ensure files are born secure.
Comment on lines +1 to +4
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix markdownlint violations and confirm the entry date.
Markdownlint is failing due to heading level, missing blank line after the heading, and long lines. Also please confirm the intended date in the heading (currently “2025-02-02”).

✏️ Proposed formatting fix 
-## 2025-02-02 - Secure File Creation with Shell Redirection
-**Vulnerability:** SSH private keys restored from 1Password via `op read > file` were created with default umask permissions before `chmod` was applied, creating a race condition.
-**Learning:** Shell redirection creates files before `chmod` can act. Even in "personal" dotfiles, this can expose secrets on multi-user systems (e.g., shared servers).
-**Prevention:** Use `(umask 077 && command > file)` to ensure files are born secure.
+# 2025-02-02 - Secure File Creation with Shell Redirection
+
+**Vulnerability:** SSH private keys restored from 1Password via `op read > file`
+were created with default umask permissions before `chmod` was applied, creating a
+race condition.
+**Learning:** Shell redirection creates files before `chmod` can act. Even in
+"personal" dotfiles, this can expose secrets on multi-user systems (e.g., shared
+servers).
+**Prevention:** Use `(umask 077 && command > file)` to ensure files are born
+secure.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## 2025-02-02 - Secure File Creation with Shell Redirection
**Vulnerability:** SSH private keys restored from 1Password via `op read > file` were created with default umask permissions before `chmod` was applied, creating a race condition.
**Learning:** Shell redirection creates files before `chmod` can act. Even in "personal" dotfiles, this can expose secrets on multi-user systems (e.g., shared servers).
**Prevention:** Use `(umask 077 && command > file)` to ensure files are born secure.
# 2025-02-02 - Secure File Creation with Shell Redirection
**Vulnerability:** SSH private keys restored from 1Password via `op read > file`
were created with default umask permissions before `chmod` was applied, creating a
race condition.
**Learning:** Shell redirection creates files before `chmod` can act. Even in
"personal" dotfiles, this can expose secrets on multi-user systems (e.g., shared
servers).
**Prevention:** Use `(umask 077 && command > file)` to ensure files are born
secure.
🧰 Tools
🪛 GitHub Check: Lint Documentation

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 168] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 179] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2025-02-02 - Secure File Cr..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2025-02-02 - Secure File Creation with Shell Redirection"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🤖 Prompt for AI Agents 
In @.jules/sentinel.md around lines 1 - 4, Adjust the sentinel entry heading
"2025-02-02 - Secure File Creation with Shell Redirection" to the correct level
per project style, add a blank line immediately after the heading, wrap long
lines in the body to satisfy markdownlint (e.g., break the
Vulnerability/Learning/Prevention lines at ~80 chars or less), and confirm or
correct the date in the heading to the intended date; ensure the final text
still contains the three labeled lines ("Vulnerability:", "Learning:",
"Prevention:") exactly as in the diff.

9 changes: 7 additions & 2 deletions tools/setup-ssh-keys.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,11 +149,16 @@ cmd_restore() {
say "Restoring SSH key from 1Password..."

# Create SSH directory
mkdir -p "$SSH_DIR"
# Use umask to ensure secure permissions on creation
(umask 077 && mkdir -p "$SSH_DIR")
chmod 700 "$SSH_DIR"

# Read private key from 1Password and save locally
op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
# Use umask in subshell to prevent race condition where file is briefly group-readable
(
umask 077
op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
)
chmod 600 "$PRIVATE_KEY_FILE"

# Read public key from 1Password and save locally
Expand Down
Loading