🛡️ Sentinel: Fix TOCTOU race condition in SSH key creation

[kidchenko]

🛡️ Sentinel: [CRITICAL] Fix TOCTOU race condition in SSH key creation

🚨 Severity: CRITICAL
💡 Vulnerability: SSH private keys were written to disk with default permissions and then restricted with chmod immediately after. This creates a Time-of-Check-Time-of-Use (TOCTOU) race condition window where the file is world-readable.
🎯 Impact: Sensitive private keys could be read by other users on the system if they monitor directory changes during the creation window.
🔧 Fix: Wrapped file creation in a subshell with umask 077 to ensure restrictive permissions are applied at creation time.
✅ Verification: Verified script syntax with bash -n and visual inspection of logic.

---

PR created automatically by Jules for task 9668484018734191816 started by @kidchenko

Summary by CodeRabbit

• Bug Fixes

  • Enhanced SSH key creation process with improved file permission handling to ensure restrictive access controls.

• Documentation

  • Added documentation on SSH key file permission security best practices and preventative measures.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new security documentation file is added describing a TOCTOU race condition vulnerability in SSH private key creation, while the SSH setup script is enhanced with secure directory initialization and umask-based file permission restrictions to prevent unauthorized access.

Changes

Cohort / File(s)	Summary
Security Documentation .jules/sentinel.md	New markdown document documenting a TOCTOU race condition vulnerability in SSH key file permissions, including vulnerability details, learning points, and prevention strategies using umask or portable install methods.
SSH Key Creation Script tools/setup-ssh-keys.sh	Enhanced SSH directory creation with umask 077 in a subshell to prevent group/other access, sets directory permissions to 700, and reads private key from 1Password within a restricted umask context, ensuring 077 initial permissions and 600 final permissions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A tale of keys kept safe and sound,
With umask shields and masks profound,
No race conditions here we see,
Just SSH in security!
A rabbit's work, secure and bright! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main vulnerability being fixed (TOCTOU race condition in SSH key creation) and accurately reflects the primary change in the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sentinel/fix-ssh-key-toctou-9668484018734191816

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.jules/sentinel.md:
- Around line 1-4: Change the first line to a top-level heading (use a single
leading '#') and ensure there is a blank line before and after that heading to
satisfy MD041 and MD022; break the long lines in the body (lines mentioning the
TOCTOU race, chmod, umask example) into sentences under 80 characters to fix
MD013; update the date string "2024-05-22" to "2026-02-06" and keep the heading
text "TOCTOU Race Condition in File Permissions" intact so reviewers can locate
the entry.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix markdownlint violations flagged by the Lint Documentation check.

The linter reports several failures:

1. MD041: First line should be a top-level heading (#), not ##.
2. MD022: Heading must be surrounded by blank lines.
3. MD013: Lines 2–4 exceed the 80-character limit — wrap long lines or restructure into shorter sentences.

Also, the date 2024-05-22 looks incorrect given the PR was created on 2026-02-06.

Proposed structure (content abbreviated)

-## 2024-05-22 - TOCTOU Race Condition in File Permissions
-**Vulnerability:** SSH private keys were written to disk with default permissions and then restricted with `chmod` immediately after. This creates a Time-of-Check-Time-of-Use (TOCTOU) race condition window where the file is world-readable (depending on system umask).
-**Learning:** `chmod` is not atomic with file creation. Relying on it for sensitive files leaves a security gap.
-**Prevention:** Use `umask` in a subshell or the `install` command (if portable) to ensure files are created with restrictive permissions from the start. Example: `(umask 077; echo secret > file)`
+# Sentinel Security Journal
+
+## 2026-02-06 - TOCTOU Race Condition in File Permissions
+
+**Vulnerability:** SSH private keys were written to disk with default
+permissions and then restricted with `chmod` immediately after. This
+creates a TOCTOU race condition window where the file is
+world-readable (depending on system umask).
+
+**Learning:** `chmod` is not atomic with file creation. Relying on it
+for sensitive files leaves a security gap.
+
+**Prevention:** Use `umask` in a subshell or the `install` command
+(if portable) to ensure files are created with restrictive permissions
+from the start. Example: `(umask 077; echo secret > file)`

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	## 2024-05-22 - TOCTOU Race Condition in File Permissions
	**Vulnerability:** SSH private keys were written to disk with default permissions and then restricted with `chmod` immediately after. This creates a Time-of-Check-Time-of-Use (TOCTOU) race condition window where the file is world-readable (depending on system umask).
	**Learning:** `chmod` is not atomic with file creation. Relying on it for sensitive files leaves a security gap.
	**Prevention:** Use `umask` in a subshell or the `install` command (if portable) to ensure files are created with restrictive permissions from the start. Example: `(umask 077; echo secret > file)`
	# Sentinel Security Journal
	## 2026-02-06 - TOCTOU Race Condition in File Permissions
	**Vulnerability:** SSH private keys were written to disk with default
	permissions and then restricted with `chmod` immediately after. This
	creates a TOCTOU race condition window where the file is
	world-readable (depending on system umask).
	**Learning:** `chmod` is not atomic with file creation. Relying on it
	for sensitive files leaves a security gap.
	**Prevention:** Use `umask` in a subshell or the `install` command
	(if portable) to ensure files are created with restrictive permissions
	from the start. Example: `(umask 077; echo secret > file)`

🧰 Tools

🪛 GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 196] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 112] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 267] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2024-05-22 - TOCTOU Race Co..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

---

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2024-05-22 - TOCTOU Race Condition in File Permissions"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🤖 Prompt for AI Agents

In @.jules/sentinel.md around lines 1 - 4, Change the first line to a top-level
heading (use a single leading '#') and ensure there is a blank line before and
after that heading to satisfy MD041 and MD022; break the long lines in the body
(lines mentioning the TOCTOU race, chmod, umask example) into sentences under 80
characters to fix MD013; update the date string "2024-05-22" to "2026-02-06" and
keep the heading text "TOCTOU Race Condition in File Permissions" intact so
reviewers can locate the entry.