From 3c180c383f7228e3a10fb2ab151fb2c50c5a2463 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Tue, 24 Feb 2026 05:05:43 +0000
Subject: [PATCH] feat(security): restrict backup file permissions to
 owner-only

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 .jules/sentinel.md       | 4 ++++
 tools/backup-projects.sh | 2 ++
 2 files changed, 6 insertions(+)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..9282611
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2026-02-24 - Insecure Backup Permissions
+**Vulnerability:** Backup archives created by `tools/backup-projects.sh` were readable by all users on the system (0644 default permissions). These archives contain sensitive project files and potentially secrets.
+**Learning:** Shell scripts using `zip` or `tar` often inherit default umask settings, which are typically permissive. Creating backups in shared environments (even multi-user home machines) requires explicit permission handling.
+**Prevention:** Enforce `umask 0077` (or strict `chmod`) when creating sensitive files or archives in shell scripts. Always assume the default environment is insecure.
diff --git a/tools/backup-projects.sh b/tools/backup-projects.sh
index 1b7f6d2..d3b5282 100755
--- a/tools/backup-projects.sh
+++ b/tools/backup-projects.sh
@@ -410,6 +410,8 @@ cmd_backup() {
         exclude_args=$(build_exclude_args)
 
         (
+            # Restrict permissions for backup file (owner read/write only)
+            umask 0077
             cd "$HOME" || exit 1
             if [[ "$VERBOSE" == true ]]; then
                 # shellcheck disable=SC2086