Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix SSH key creation race condition #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kidchenko wants to merge 1 commit into
base: main
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [CRITICAL] Fix SSH key creation race condition #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2025-02-03 - File Creation Race Conditions

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

First line in a file should be a top-level heading 

.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2025-02-03 - File Creation ..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Headings should be surrounded by blank lines 

.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2025-02-03 - File Creation Race Conditions"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md
**Vulnerability:** SSH private keys were created with default umask permissions (world-readable) before being restricted with `chmod`.

Check failure on line 2 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 134] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Learning:** Shell redirection (`>`) creates files with default umask permissions immediately. `chmod` after creation leaves a window of exposure (race condition).

Check failure on line 3 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 164] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Prevention:** Use `umask 077` in a subshell or block before creating sensitive files to ensure they are born secure.

Check failure on line 4 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 118] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
Comment on lines +1 to +4
Copy link

@coderabbitai coderabbitai bot Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟑 Minor

Fix markdown linting errors flagged by static analysis.

The linter reports several issues:

  • Line 1: Should be a top-level heading (# instead of ##) and needs a blank line below
  • Lines 2-4: Exceed the 80-character line length limit

Also, the heading date says "2025-02-03" but the PR was created in 2026 β€” verify if this is intentional.

πŸ“ Proposed fix 
-## 2025-02-03 - File Creation Race Conditions
-**Vulnerability:** SSH private keys were created with default umask permissions (world-readable) before being restricted with `chmod`.
-**Learning:** Shell redirection (`>`) creates files with default umask permissions immediately. `chmod` after creation leaves a window of exposure (race condition).
-**Prevention:** Use `umask 077` in a subshell or block before creating sensitive files to ensure they are born secure.
+# Sentinel Learnings
+
+## 2026-02-03 - File Creation Race Conditions
+
+**Vulnerability:** SSH private keys were created with default umask permissions
+(world-readable) before being restricted with `chmod`.
+
+**Learning:** Shell redirection (`>`) creates files with default umask
+permissions immediately. `chmod` after creation leaves a window of exposure
+(race condition).
+
+**Prevention:** Use `umask 077` in a subshell or block before creating
+sensitive files to ensure they are born secure.
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## 2025-02-03 - File Creation Race Conditions
**Vulnerability:** SSH private keys were created with default umask permissions (world-readable) before being restricted with `chmod`.
**Learning:** Shell redirection (`>`) creates files with default umask permissions immediately. `chmod` after creation leaves a window of exposure (race condition).
**Prevention:** Use `umask 077` in a subshell or block before creating sensitive files to ensure they are born secure.
# Sentinel Learnings
## 2026-02-03 - File Creation Race Conditions
**Vulnerability:** SSH private keys were created with default umask permissions
(world-readable) before being restricted with `chmod`.
**Learning:** Shell redirection (`>`) creates files with default umask
permissions immediately. `chmod` after creation leaves a window of exposure
(race condition).
**Prevention:** Use `umask 077` in a subshell or block before creating
sensitive files to ensure they are born secure.
🧰 Tools
πŸͺ› GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 118] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 164] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 134] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2025-02-03 - File Creation ..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2025-02-03 - File Creation Race Conditions"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

πŸ€– Prompt for AI Agents 
In @.jules/sentinel.md around lines 1 - 4, Change the top-level heading "##
2025-02-03 - File Creation Race Conditions" to a single H1 ("# ...") and add a
blank line below it; reflow the following lines so no line exceeds 80 characters
(split sentences about SSH private keys, shell redirection, chmod race window,
and the prevention advice into multiple short lines); and confirm whether the
heading date "2025-02-03" should be updated to the PR year (2026) or left as-is,
then update the date if needed.

10 changes: 8 additions & 2 deletions tools/setup-ssh-keys.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,11 +149,17 @@ cmd_restore() {
say "Restoring SSH key from 1Password..."

# Create SSH directory
mkdir -p "$SSH_DIR"
(
umask 077
mkdir -p "$SSH_DIR"
)
chmod 700 "$SSH_DIR"

# Read private key from 1Password and save locally
op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
(
umask 077
op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
)
chmod 600 "$PRIVATE_KEY_FILE"

# Read public key from 1Password and save locally
Expand Down
Loading