From a223e8d92067032f6fd39e8402a3c8f30b0e3b04 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Mon, 23 Feb 2026 04:39:15 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]=20En?=
 =?UTF-8?q?force=20strict=20permissions=20on=20backups?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

**Vulnerability:**
The `tools/backup-projects.sh` script created backup zip archives and log files with default system permissions (often 022/644). This meant that backup files containing source code and potentially sensitive information, as well as logs containing remote repository URLs, were world-readable on multi-user systems.

**Fix:**
Added `umask 077` to the beginning of `tools/backup-projects.sh`. This ensures that all files and directories created by the script (including temporary directories, log files, and the final zip archive) are only readable and writable by the owner (mode 600 or 700).

**Verification:**
- Verified syntax with `./build.sh syntax`.
- Verified execution with `tools/backup-projects.sh --dry-run`.
- Confirmed that `umask 077` is applied before any file creation operations.

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 .jules/sentinel.md       | 4 ++++
 tools/backup-projects.sh | 3 +++
 2 files changed, 7 insertions(+)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..1457064
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2026-02-23 - Insecure Permissions on Backups
+**Vulnerability:** `tools/backup-projects.sh` created backup zip archives and logs with default umask permissions (often 022/644), making them world-readable on multi-user systems. These backups contain source code and logs contain remote URLs (potentially with tokens).
+**Learning:** Shell scripts creating sensitive files must explicitly manage permissions, as default system umasks are often permissive.
+**Prevention:** Use `umask 077` at the start of scripts handling sensitive data to ensure files are only readable by the owner by default.
diff --git a/tools/backup-projects.sh b/tools/backup-projects.sh
index 1b7f6d2..607b6d0 100755
--- a/tools/backup-projects.sh
+++ b/tools/backup-projects.sh
@@ -27,6 +27,9 @@
 # Pipestatus
 set -o pipefail
 
+# Security: Ensure backups and logs are only readable by the owner
+umask 077
+
 # --- Configuration ---
 CONFIG_FILE="${XDG_CONFIG_HOME:-$HOME/.config}/dotfiles/config.yaml"
 LOG_DIR="${XDG_STATE_HOME:-$HOME/.local/state}/dotfiles"