From a22a4c4938107c2ef6fd331e88a66d65b19ba71f Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Wed, 25 Feb 2026 04:49:15 +0000
Subject: [PATCH] feat(security): enforce secure permissions on project backups

- Restrict backup directory permissions to 0700 (owner only)
- Create backup archives with umask 077 and chmod 0600
- Ensure logs are stored in a 0700 directory

This prevents potential information disclosure on multi-user systems.

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 .jules/sentinel.md       | 4 ++++
 tools/backup-projects.sh | 5 +++++
 2 files changed, 9 insertions(+)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..9509a27
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2025-02-25 - Insecure File Permissions in Backup Script
+**Vulnerability:** The `tools/backup-projects.sh` script created backup archives and log directories without explicitly setting restrictive permissions. This meant that on multi-user systems (or even locally if shared), backup archives containing potentially sensitive project code and secrets were readable by other users (group/world readable depending on umask).
+**Learning:** Default umask settings (often 022) are insufficient for security-critical operations like backups. Relying on default permissions assumes a secure environment, which is not always true.
+**Prevention:** Always use `umask 077` in subshells when creating sensitive files or directories. Explicitly `chmod 700` directories and `chmod 600` files after creation to enforce defense-in-depth.
diff --git a/tools/backup-projects.sh b/tools/backup-projects.sh
index 1b7f6d2..209afd0 100755
--- a/tools/backup-projects.sh
+++ b/tools/backup-projects.sh
@@ -351,7 +351,9 @@ cmd_backup() {
     # Setup directories
     if [[ "$DRY_RUN" != true ]]; then
         mkdir -p "$BACKUP_TEMP_DIR"
+        chmod 700 "$BACKUP_TEMP_DIR"
         mkdir -p "$LOG_DIR"
+        chmod 700 "$LOG_DIR"
     else
         debug "Would create: $BACKUP_TEMP_DIR"
         debug "Would create: $LOG_DIR"
@@ -411,6 +413,7 @@ cmd_backup() {
 
         (
             cd "$HOME" || exit 1
+            umask 077
             if [[ "$VERBOSE" == true ]]; then
                 # shellcheck disable=SC2086
                 zip -r "$archive_path" "${relative_paths[@]}" $exclude_args
@@ -419,6 +422,8 @@ cmd_backup() {
                 zip -r -q "$archive_path" "${relative_paths[@]}" $exclude_args
             fi
         )
+        # Ensure strict permissions on the archive
+        [[ -f "$archive_path" ]] && chmod 600 "$archive_path"
 
         if [[ ! -f "$archive_path" ]]; then
             error "Failed to create archive"