From 92d8c3dfca432c76e66fff3bebf1ed280ad87d5b Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sat, 7 Feb 2026 04:41:56 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL]?=
 =?UTF-8?q?=20Fix=20insecure=20private=20key=20file=20creation?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

🚨 Severity: CRITICAL
💡 Vulnerability: Private SSH keys were being created with default umask permissions (often 0644) before being restricted to 0600. This created a race condition (TOCTOU) where the file could be read by other users during the creation window.
🎯 Impact: Potential leakage of private SSH keys to other users on the same system.
🔧 Fix: Wrapped the private key file creation in a subshell with `umask 077` to ensure the file is created with 0600 permissions from the start.
✅ Verification: Verified with a reproduction script that files are now created with 0600 permissions immediately. Ran `bash -n tools/setup-ssh-keys.sh` to ensure syntax correctness.

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 .jules/sentinel.md      | 4 ++++
 tools/setup-ssh-keys.sh | 5 ++++-
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..9a6b986
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2025-02-07 - Insecure File Creation for Sensitive Data
+**Vulnerability:** Private SSH keys were created with default umask permissions (often 0644 or 0664) before being restricted to 0600, creating a race condition (TOCTOU) where the file could be read by other users during the creation window.
+**Learning:** Shell redirection (`>`) creates the file before `chmod` is executed, using the process's default umask. Explicitly setting `chmod` afterwards is insufficient for highly sensitive files on multi-user systems.
+**Prevention:** Wrap sensitive file creation commands in a subshell with `umask 077` (or `umask 0177` for executable scripts) to ensure the file is created with restrictive permissions (0600) from the start.
diff --git a/tools/setup-ssh-keys.sh b/tools/setup-ssh-keys.sh
index bde52fd..b737e86 100755
--- a/tools/setup-ssh-keys.sh
+++ b/tools/setup-ssh-keys.sh
@@ -153,7 +153,10 @@ cmd_restore() {
     chmod 700 "$SSH_DIR"
 
     # Read private key from 1Password and save locally
-    op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
+    (
+        umask 077
+        op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
+    )
     chmod 600 "$PRIVATE_KEY_FILE"
 
     # Read public key from 1Password and save locally