From aeaedc9bbec93997a55f5cca8d050b09c421c91e Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Thu, 5 Feb 2026 04:57:01 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL]?=
 =?UTF-8?q?=20Fix=20TOCTOU=20in=20SSH=20key=20creation?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

🚨 Severity: CRITICAL
💡 Vulnerability: SSH private keys were created with default permissions (often world-readable) before being restricted with `chmod`. This created a race condition (TOCTOU) where the key could be read by other users on the system.
🎯 Impact: Potential leakage of private SSH keys.
🔧 Fix: Used `umask 077` in a subshell during file creation to ensure keys are written with 600 permissions atomically.
✅ Verification: Verified syntax with `./build.sh` and manual code inspection.

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 .jules/sentinel.md      |  4 ++++
 tools/setup-ssh-keys.sh | 12 ++++++++----
 2 files changed, 12 insertions(+), 4 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..cb6d463
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-05-22 - Secure File Creation in Shell Scripts
+**Vulnerability:** TOCTOU race condition when creating sensitive files (like SSH keys) using redirection (`>`) followed by `chmod`.
+**Learning:** Files created via redirection inherit default permissions (usually 644/666) before `chmod` runs, leaving a window where they are world-readable.
+**Prevention:** Use `umask` inside a subshell to strictly control permissions at creation time: `(umask 077; command > file)`.
diff --git a/tools/setup-ssh-keys.sh b/tools/setup-ssh-keys.sh
index bde52fd..aef9fe0 100755
--- a/tools/setup-ssh-keys.sh
+++ b/tools/setup-ssh-keys.sh
@@ -153,12 +153,16 @@ cmd_restore() {
     chmod 700 "$SSH_DIR"
 
     # Read private key from 1Password and save locally
-    op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
-    chmod 600 "$PRIVATE_KEY_FILE"
+    (
+        umask 077
+        op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
+    )
 
     # Read public key from 1Password and save locally
-    op read "op://$VAULT/$KEY_NAME/public_key" > "$PUBLIC_KEY_FILE"
-    chmod 644 "$PUBLIC_KEY_FILE"
+    (
+        umask 022
+        op read "op://$VAULT/$KEY_NAME/public_key" > "$PUBLIC_KEY_FILE"
+    )
 
     say "SSH key restored to $SSH_DIR"
     echo ""