Skip to content

🛡️ Sentinel: [CRITICAL] Fix insecure private key file creation #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kidchenko wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🛡️ Sentinel: [CRITICAL] Fix insecure private key file creation #23

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2025-02-07 - Insecure File Creation for Sensitive Data

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

First line in a file should be a top-level heading 

.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2025-02-07 - Insecure File ..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Headings should be surrounded by blank lines 

.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2025-02-07 - Insecure File Creation for Sensitive Data"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md
Copy link

@coderabbitai coderabbitai bot Feb 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Date appears to have a typo: 2025 should be 2026.

The PR was created on 2026-02-07, but the heading says 2025-02-07.

🧰 Tools
🪛 GitHub Check: Lint Documentation

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2025-02-07 - Insecure File ..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2025-02-07 - Insecure File Creation for Sensitive Data"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🤖 Prompt for AI Agents 
In @.jules/sentinel.md at line 1, Update the sentinel entry header that
currently reads "## 2025-02-07 - Insecure File Creation for Sensitive Data" to
the correct date "2026-02-07" so the heading matches the PR creation date;
locate the Markdown header string and change the year from 2025 to 2026.

**Vulnerability:** Private SSH keys were created with default umask permissions (often 0644 or 0664) before being restricted to 0600, creating a race condition (TOCTOU) where the file could be read by other users during the creation window.

Check failure on line 2 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 240] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Learning:** Shell redirection (`>`) creates the file before `chmod` is executed, using the process's default umask. Explicitly setting `chmod` afterwards is insufficient for highly sensitive files on multi-user systems.

Check failure on line 3 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 221] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Prevention:** Wrap sensitive file creation commands in a subshell with `umask 077` (or `umask 0177` for executable scripts) to ensure the file is created with restrictive permissions (0600) from the start.

Check failure on line 4 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 207] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
Comment on lines +1 to +4
Copy link

@coderabbitai coderabbitai bot Feb 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix markdown lint failures flagged by the CI pipeline.

The Lint Documentation check is failing with multiple violations:

  • MD041: First line should be a top-level heading (#), not ##.
  • MD022: Heading on line 1 needs a blank line below it.
  • MD013: Lines 2–4 exceed the 80-character line limit.
Proposed fix 
-## 2025-02-07 - Insecure File Creation for Sensitive Data
-**Vulnerability:** Private SSH keys were created with default umask permissions (often 0644 or 0664) before being restricted to 0600, creating a race condition (TOCTOU) where the file could be read by other users during the creation window.
-**Learning:** Shell redirection (`>`) creates the file before `chmod` is executed, using the process's default umask. Explicitly setting `chmod` afterwards is insufficient for highly sensitive files on multi-user systems.
-**Prevention:** Wrap sensitive file creation commands in a subshell with `umask 077` (or `umask 0177` for executable scripts) to ensure the file is created with restrictive permissions (0600) from the start.
+# Sentinel
+
+## 2026-02-07 - Insecure File Creation for Sensitive Data
+
+**Vulnerability:** Private SSH keys were created with default umask
+permissions (often 0644 or 0664) before being restricted to 0600,
+creating a race condition (TOCTOU) where the file could be read by
+other users during the creation window.
+
+**Learning:** Shell redirection (`>`) creates the file before `chmod`
+is executed, using the process's default umask. Explicitly setting
+`chmod` afterward is insufficient for highly sensitive files on
+multi-user systems.
+
+**Prevention:** Wrap sensitive file creation commands in a subshell
+with `umask 077` (or `umask 0177` for executable scripts) to ensure
+the file is created with restrictive permissions (0600) from the
+start.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## 2025-02-07 - Insecure File Creation for Sensitive Data
**Vulnerability:** Private SSH keys were created with default umask permissions (often 0644 or 0664) before being restricted to 0600, creating a race condition (TOCTOU) where the file could be read by other users during the creation window.
**Learning:** Shell redirection (`>`) creates the file before `chmod` is executed, using the process's default umask. Explicitly setting `chmod` afterwards is insufficient for highly sensitive files on multi-user systems.
**Prevention:** Wrap sensitive file creation commands in a subshell with `umask 077` (or `umask 0177` for executable scripts) to ensure the file is created with restrictive permissions (0600) from the start.
# Sentinel
## 2026-02-07 - Insecure File Creation for Sensitive Data
**Vulnerability:** Private SSH keys were created with default umask
permissions (often 0644 or 0664) before being restricted to 0600,
creating a race condition (TOCTOU) where the file could be read by
other users during the creation window.
**Learning:** Shell redirection (`>`) creates the file before `chmod`
is executed, using the process's default umask. Explicitly setting
`chmod` afterward is insufficient for highly sensitive files on
multi-user systems.
**Prevention:** Wrap sensitive file creation commands in a subshell
with `umask 077` (or `umask 0177` for executable scripts) to ensure
the file is created with restrictive permissions (0600) from the
start.
🧰 Tools
🪛 GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 207] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 221] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 240] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2025-02-07 - Insecure File ..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2025-02-07 - Insecure File Creation for Sensitive Data"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🪛 LanguageTool

[locale-violation] ~3-~3: In American English, ‘afterward’ is the preferred variant. ‘Afterwards’ is more commonly used in British English and other dialects.
Context: ...fault umask. Explicitly setting chmod afterwards is insufficient for highly sensitive fi...

(AFTERWARDS_US)

🤖 Prompt for AI Agents 
In @.jules/sentinel.md around lines 1 - 4, Change the first line to a top-level
heading by replacing the "## 2025-02-07 - Insecure File Creation for Sensitive
Data" line with "# 2025-02-07 - Insecure File Creation for Sensitive Data", add
a blank line immediately after that heading to satisfy MD022, and reflow/wrap
the long sentences in the following lines (the description and prevention lines)
to 80 characters or fewer per line to fix MD013—split them into short sentences
or separate bullet points while keeping the same content (refer to the heading
text and the "Prevention" sentence about "umask 077"/"umask 0177" to locate
where to wrap).

5 changes: 4 additions & 1 deletion tools/setup-ssh-keys.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,10 @@ cmd_restore() {
chmod 700 "$SSH_DIR"

# Read private key from 1Password and save locally
op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
(
umask 077
op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
)
chmod 600 "$PRIVATE_KEY_FILE"

# Read public key from 1Password and save locally
Expand Down
Loading