Skip to content

πŸ›‘οΈ Sentinel: Fix TOCTOU race condition in SSH key setup #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kidchenko wants to merge 1 commit into
base: main
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: Fix TOCTOU race condition in SSH key setup #25

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# Sentinel's Journal

## 2024-05-22 - TOCTOU Race Condition in File Creation

Check failure on line 3 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Headings should be surrounded by blank lines 

.jules/sentinel.md:3 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2024-05-22 - TOCTOU Race Condition in File Creation"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md
**Vulnerability:** Found a Time-of-Check to Time-of-Use (TOCTOU) vulnerability in `tools/setup-ssh-keys.sh` where sensitive SSH keys were created with default permissions (potentially world-readable) before being restricted with `chmod`.

Check failure on line 4 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 237] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Learning:** Even with a subsequent `chmod`, there is a small window where a file is accessible to other users on the system if created with default `umask`.

Check failure on line 5 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:5:81 MD013/line-length Line length [Expected: 80; Actual: 158] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Prevention:** Always use `umask 077` in a subshell when creating sensitive files or directories to ensure they are private from the moment of creation.

Check failure on line 6 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:6:81 MD013/line-length Line length [Expected: 80; Actual: 153] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
Comment on lines +3 to +6
Copy link

@coderabbitai coderabbitai bot Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟑 Minor

Fix markdown lint failures flagged by CI.

The Lint Documentation check is failing on this file with four violations:

  1. MD022 (Line 3): Missing blank line below the heading.
  2. MD013 (Lines 4–6): Lines exceed the 80-character limit.

Also, the date 2024-05-22 appears incorrect β€” this PR was created in February 2026.

Suggested rewrite to fix all lint issues 
 # Sentinel's Journal
 
-## 2024-05-22 - TOCTOU Race Condition in File Creation
-**Vulnerability:** Found a Time-of-Check to Time-of-Use (TOCTOU) vulnerability in `tools/setup-ssh-keys.sh` where sensitive SSH keys were created with default permissions (potentially world-readable) before being restricted with `chmod`.
-**Learning:** Even with a subsequent `chmod`, there is a small window where a file is accessible to other users on the system if created with default `umask`.
-**Prevention:** Always use `umask 077` in a subshell when creating sensitive files or directories to ensure they are private from the moment of creation.
+## 2026-02-09 - TOCTOU Race Condition in File Creation
+
+**Vulnerability:** Found a TOCTOU vulnerability in
+`tools/setup-ssh-keys.sh` where sensitive SSH keys were created
+with default permissions (potentially world-readable) before
+being restricted with `chmod`.
+
+**Learning:** Even with a subsequent `chmod`, there is a small
+window where a file is accessible to other users on the system
+if created with default `umask`.
+
+**Prevention:** Always use `umask 077` in a subshell when
+creating sensitive files or directories to ensure they are
+private from the moment of creation.
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## 2024-05-22 - TOCTOU Race Condition in File Creation
**Vulnerability:** Found a Time-of-Check to Time-of-Use (TOCTOU) vulnerability in `tools/setup-ssh-keys.sh` where sensitive SSH keys were created with default permissions (potentially world-readable) before being restricted with `chmod`.
**Learning:** Even with a subsequent `chmod`, there is a small window where a file is accessible to other users on the system if created with default `umask`.
**Prevention:** Always use `umask 077` in a subshell when creating sensitive files or directories to ensure they are private from the moment of creation.
# Sentinel's Journal
## 2026-02-09 - TOCTOU Race Condition in File Creation
**Vulnerability:** Found a TOCTOU vulnerability in
`tools/setup-ssh-keys.sh` where sensitive SSH keys were created
with default permissions (potentially world-readable) before
being restricted with `chmod`.
**Learning:** Even with a subsequent `chmod`, there is a small
window where a file is accessible to other users on the system
if created with default `umask`.
**Prevention:** Always use `umask 077` in a subshell when
creating sensitive files or directories to ensure they are
private from the moment of creation.
🧰 Tools
πŸͺ› GitHub Check: Lint Documentation

[failure] 6-6: Line length
.jules/sentinel.md:6:81 MD013/line-length Line length [Expected: 80; Actual: 153] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 5-5: Line length
.jules/sentinel.md:5:81 MD013/line-length Line length [Expected: 80; Actual: 158] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 237] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 3-3: Headings should be surrounded by blank lines
.jules/sentinel.md:3 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2024-05-22 - TOCTOU Race Condition in File Creation"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

πŸ€– Prompt for AI Agents 
In @.jules/sentinel.md around lines 3 - 6, The heading line "2024-05-22 - TOCTOU
Race Condition in File Creation" needs three fixes: insert a blank line
immediately below the heading to satisfy MD022; reflow the long description
lines (the lines describing the vulnerability, learning, and prevention that
reference tools/setup-ssh-keys.sh and umask 077) so each line is ≀80 characters
to satisfy MD013; and update the date prefix from "2024-05-22" to the correct
February 2026 date (e.g. "2026-02-<day>") to reflect the PR creation date.
Locate that heading and the three following paragraph lines in
.jules/sentinel.md and apply these edits.

9 changes: 7 additions & 2 deletions tools/setup-ssh-keys.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,11 +149,16 @@ cmd_restore() {
say "Restoring SSH key from 1Password..."

# Create SSH directory
mkdir -p "$SSH_DIR"
if [[ ! -d "$SSH_DIR" ]]; then
(umask 077 && mkdir -p "$SSH_DIR")
fi
chmod 700 "$SSH_DIR"

# Read private key from 1Password and save locally
op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
(
umask 077
op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
)
chmod 600 "$PRIVATE_KEY_FILE"

# Read public key from 1Password and save locally
Expand Down
Loading