Skip to content

πŸ›‘οΈ Sentinel: [MEDIUM] Fix insecure backup permissions #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kidchenko wants to merge 1 commit into
base: main
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [MEDIUM] Fix insecure backup permissions #37

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2026-02-21 - Insecure Backup Permissions

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

First line in a file should be a top-level heading 

.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2026-02-21 - Insecure Backu..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Headings should be surrounded by blank lines 

.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2026-02-21 - Insecure Backup Permissions"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md
**Vulnerability:** `tools/backup-projects.sh` created project backups with default umask permissions (often 644/755), making them world-readable.

Check failure on line 2 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 145] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Learning:** Scripts generating sensitive artifacts (backups, keys, logs) must explicitly set permissions. Default umask is insufficient for privacy.

Check failure on line 3 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 150] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Prevention:** Enforce `umask 077` at the start of any script that handles sensitive data or artifacts.

Check failure on line 4 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 104] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
Comment on lines +1 to +4
Copy link

@coderabbitai coderabbitai bot Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟑 Minor

Fix markdown linting violations causing CI failures (MD041, MD022, MD013).

Five failures in the Lint Documentation check prevent a clean CI run:

  • MD041: First line must be a top-level # heading β€” the file opens with ##.
  • MD022: The ## heading requires a blank line below it.
  • MD013: Lines 2–4 exceed the 80-character limit (actual: 145, 150, 104 chars).
πŸ“ Proposed fix 
-## 2026-02-21 - Insecure Backup Permissions
-**Vulnerability:** `tools/backup-projects.sh` created project backups with default umask permissions (often 644/755), making them world-readable.
-**Learning:** Scripts generating sensitive artifacts (backups, keys, logs) must explicitly set permissions. Default umask is insufficient for privacy.
-**Prevention:** Enforce `umask 077` at the start of any script that handles sensitive data or artifacts.
+# Sentinel Notes
+
+## 2026-02-21 - Insecure Backup Permissions
+
+**Vulnerability:** `tools/backup-projects.sh` created project backups with
+default umask permissions (often 644/755), making them world-readable.
+
+**Learning:** Scripts generating sensitive artifacts (backups, keys, logs) must
+explicitly set permissions. Default umask is insufficient for privacy.
+
+**Prevention:** Enforce `umask 077` at the start of any script that handles
+sensitive data or artifacts.
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## 2026-02-21 - Insecure Backup Permissions
**Vulnerability:** `tools/backup-projects.sh` created project backups with default umask permissions (often 644/755), making them world-readable.
**Learning:** Scripts generating sensitive artifacts (backups, keys, logs) must explicitly set permissions. Default umask is insufficient for privacy.
**Prevention:** Enforce `umask 077` at the start of any script that handles sensitive data or artifacts.
# Sentinel Notes
## 2026-02-21 - Insecure Backup Permissions
**Vulnerability:** `tools/backup-projects.sh` created project backups with
default umask permissions (often 644/755), making them world-readable.
**Learning:** Scripts generating sensitive artifacts (backups, keys, logs) must
explicitly set permissions. Default umask is insufficient for privacy.
**Prevention:** Enforce `umask 077` at the start of any script that handles
sensitive data or artifacts.
🧰 Tools
πŸͺ› GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 104] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 150] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 145] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2026-02-21 - Insecure Backu..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2026-02-21 - Insecure Backup Permissions"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, The markdown fails linting: change
the opening "## 2026-02-21 - Insecure Backup Permissions" to a top-level heading
by replacing it with "# 2026-02-21 - Insecure Backup Permissions" (this
addresses MD041), add a blank line immediately after that heading (MD022), and
wrap or reflow the long lines in the body (the lines referencing "Vulnerability:
`tools/backup-projects.sh`..." and "Prevention: Enforce `umask 077`..." and the
Learning line) so no line exceeds 80 characters (MD013); keep the same content
but split into shorter sentences or bullet lines to meet the limit.

3 changes: 3 additions & 0 deletions tools/backup-projects.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@
# Pipestatus
set -o pipefail

# Set strict permissions for created files/directories (rwx------)
umask 077

# --- Configuration ---
CONFIG_FILE="${XDG_CONFIG_HOME:-$HOME/.config}/dotfiles/config.yaml"
LOG_DIR="${XDG_STATE_HOME:-$HOME/.local/state}/dotfiles"
Expand Down
Loading