Skip to content

🛡️ Sentinel: [HIGH] Enforce strict permissions on backups #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kidchenko wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🛡️ Sentinel: [HIGH] Enforce strict permissions on backups #39

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2026-02-23 - Insecure Permissions on Backups

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

First line in a file should be a top-level heading 

.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2026-02-23 - Insecure Permi..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Headings should be surrounded by blank lines 

.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2026-02-23 - Insecure Permissions on Backups"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md
**Vulnerability:** `tools/backup-projects.sh` created backup zip archives and logs with default umask permissions (often 022/644), making them world-readable on multi-user systems. These backups contain source code and logs contain remote URLs (potentially with tokens).

Check failure on line 2 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 270] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Learning:** Shell scripts creating sensitive files must explicitly manage permissions, as default system umasks are often permissive.

Check failure on line 3 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 135] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Prevention:** Use `umask 077` at the start of scripts handling sensitive data to ensure files are only readable by the owner by default.

Check failure on line 4 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 138] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
Comment on lines +1 to +4
Copy link

@coderabbitai coderabbitai bot Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Markdown linting failures are breaking CI — fix MD041, MD022, and MD013

The "Lint Documentation" CI check has 5 failures on this new file:

  • MD041 (line 1): file must start with a top-level # heading, not ##
  • MD022 (line 1): heading must be followed by a blank line
  • MD013 (lines 2–4): lines exceed the 80-character limit (270, 135, and 138 chars respectively)
📝 Proposed fix 
+# Sentinel Security Log
+
 ## 2026-02-23 - Insecure Permissions on Backups
-**Vulnerability:** `tools/backup-projects.sh` created backup zip archives and logs with default umask permissions (often 022/644), making them world-readable on multi-user systems. These backups contain source code and logs contain remote URLs (potentially with tokens).
-**Learning:** Shell scripts creating sensitive files must explicitly manage permissions, as default system umasks are often permissive.
-**Prevention:** Use `umask 077` at the start of scripts handling sensitive data to ensure files are only readable by the owner by default.
+
+**Vulnerability:** `tools/backup-projects.sh` created backup zip archives and
+logs with default umask permissions (often 022/644), making them world-readable
+on multi-user systems. These backups contain source code and logs contain remote
+URLs (potentially with tokens).
+
+**Learning:** Shell scripts creating sensitive files must explicitly manage
+permissions, as default system umasks are often permissive.
+
+**Prevention:** Use `umask 077` at the start of scripts handling sensitive data
+to ensure files are only readable by the owner by default.
🧰 Tools
🪛 GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 138] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 135] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 270] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2026-02-23 - Insecure Permi..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2026-02-23 - Insecure Permissions on Backups"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, The file .jules/sentinel.md fails
Markdown linting: change the top heading "## 2026-02-23 - Insecure Permissions
on Backups" to a top-level heading (prefix with a single '#'), add a blank line
immediately after that heading, and reflow the long lines in the body (the
vulnerability, learning, and prevention lines) so no line exceeds 80 characters
— e.g., split those sentences into multiple lines or short paragraphs/bullets
(keep the same content but wrap text) to fix MD041, MD022, and MD013.

3 changes: 3 additions & 0 deletions tools/backup-projects.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@
# Pipestatus
set -o pipefail

# Security: Ensure backups and logs are only readable by the owner
umask 077

# --- Configuration ---
CONFIG_FILE="${XDG_CONFIG_HOME:-$HOME/.config}/dotfiles/config.yaml"
LOG_DIR="${XDG_STATE_HOME:-$HOME/.local/state}/dotfiles"
Expand Down
Loading