Skip to content

πŸ›‘οΈ Sentinel: Fix insecure file permissions in backup script #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kidchenko wants to merge 1 commit into
base: main
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: Fix insecure file permissions in backup script #41

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2025-02-25 - Insecure File Permissions in Backup Script

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

First line in a file should be a top-level heading 

.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2025-02-25 - Insecure File ..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Headings should be surrounded by blank lines 

.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2025-02-25 - Insecure File Permissions in Backup Script"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md
**Vulnerability:** The `tools/backup-projects.sh` script created backup archives and log directories without explicitly setting restrictive permissions. This meant that on multi-user systems (or even locally if shared), backup archives containing potentially sensitive project code and secrets were readable by other users (group/world readable depending on umask).

Check failure on line 2 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 365] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Learning:** Default umask settings (often 022) are insufficient for security-critical operations like backups. Relying on default permissions assumes a secure environment, which is not always true.

Check failure on line 3 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 199] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Prevention:** Always use `umask 077` in subshells when creating sensitive files or directories. Explicitly `chmod 700` directories and `chmod 600` files after creation to enforce defense-in-depth.

Check failure on line 4 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 198] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
Comment on lines +1 to +4
Copy link

@coderabbitai coderabbitai bot Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟑 Minor

Fix markdown lint failures (pipeline broken) and correct the year in the heading date.

Five markdownlint failures are blocking the Lint Documentation check:

Line Rule Fix
1 MD041 – first line must be h1 (#, not ##) Change ## β†’ #
1 MD022 – heading must be surrounded by blank lines Add a blank line after the heading
2–4 MD013 – lines exceed 80 chars Wrap long sentences at ≀80 chars

Additionally, the heading date reads 2025-02-25 but the PR was opened on 2026-02-25.

πŸ“ Proposed fix 
-## 2025-02-25 - Insecure File Permissions in Backup Script
-**Vulnerability:** The `tools/backup-projects.sh` script created backup archives and log directories without explicitly setting restrictive permissions. This meant that on multi-user systems (or even locally if shared), backup archives containing potentially sensitive project code and secrets were readable by other users (group/world readable depending on umask).
-**Learning:** Default umask settings (often 022) are insufficient for security-critical operations like backups. Relying on default permissions assumes a secure environment, which is not always true.
-**Prevention:** Always use `umask 077` in subshells when creating sensitive files or directories. Explicitly `chmod 700` directories and `chmod 600` files after creation to enforce defense-in-depth.
+# 2026-02-25 - Insecure File Permissions in Backup Script
+
+**Vulnerability:** The `tools/backup-projects.sh` script created backup archives and log
+directories without explicitly setting restrictive permissions. On multi-user systems,
+backup archives containing potentially sensitive project code and secrets were readable
+by other users (group/world readable depending on umask).
+
+**Learning:** Default umask settings (often 022) are insufficient for security-critical
+operations like backups. Relying on default permissions assumes a secure environment,
+which is not always true.
+
+**Prevention:** Always use `umask 077` in subshells when creating sensitive files or
+directories. Explicitly `chmod 700` directories and `chmod 600` files after creation
+to enforce defense-in-depth.
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## 2025-02-25 - Insecure File Permissions in Backup Script
**Vulnerability:** The `tools/backup-projects.sh` script created backup archives and log directories without explicitly setting restrictive permissions. This meant that on multi-user systems (or even locally if shared), backup archives containing potentially sensitive project code and secrets were readable by other users (group/world readable depending on umask).
**Learning:** Default umask settings (often 022) are insufficient for security-critical operations like backups. Relying on default permissions assumes a secure environment, which is not always true.
**Prevention:** Always use `umask 077` in subshells when creating sensitive files or directories. Explicitly `chmod 700` directories and `chmod 600` files after creation to enforce defense-in-depth.
# 2026-02-25 - Insecure File Permissions in Backup Script
**Vulnerability:** The `tools/backup-projects.sh` script created backup archives and log
directories without explicitly setting restrictive permissions. On multi-user systems,
backup archives containing potentially sensitive project code and secrets were readable
by other users (group/world readable depending on umask).
**Learning:** Default umask settings (often 022) are insufficient for security-critical
operations like backups. Relying on default permissions assumes a secure environment,
which is not always true.
**Prevention:** Always use `umask 077` in subshells when creating sensitive files or
directories. Explicitly `chmod 700` directories and `chmod 600` files after creation
to enforce defense-in-depth.
🧰 Tools
πŸͺ› GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 198] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 199] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 365] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2025-02-25 - Insecure File ..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2025-02-25 - Insecure File Permissions in Backup Script"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, Change the top heading "2025-02-25 -
Insecure File Permissions in Backup Script" to an H1 and correct the year to
2026 (e.g., "# 2026-02-25 - Insecure File Permissions in Backup Script"), ensure
there is a blank line immediately after that heading to satisfy MD022, and
reflow/wrap the following paragraph lines to at most 80 characters to fix MD013
so the description lines (the text under the heading) are split into shorter
lines; after these edits verify markdownlint no longer reports MD041, MD022, or
MD013 failures.

5 changes: 5 additions & 0 deletions tools/backup-projects.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -351,7 +351,9 @@ cmd_backup() {
# Setup directories
if [[ "$DRY_RUN" != true ]]; then
mkdir -p "$BACKUP_TEMP_DIR"
chmod 700 "$BACKUP_TEMP_DIR"
mkdir -p "$LOG_DIR"
chmod 700 "$LOG_DIR"
else
debug "Would create: $BACKUP_TEMP_DIR"
debug "Would create: $LOG_DIR"
Expand Down Expand Up @@ -411,6 +413,7 @@ cmd_backup() {

(
cd "$HOME" || exit 1
umask 077
if [[ "$VERBOSE" == true ]]; then
# shellcheck disable=SC2086
zip -r "$archive_path" "${relative_paths[@]}" $exclude_args
Expand All @@ -419,6 +422,8 @@ cmd_backup() {
zip -r -q "$archive_path" "${relative_paths[@]}" $exclude_args
fi
)
# Ensure strict permissions on the archive
[[ -f "$archive_path" ]] && chmod 600 "$archive_path"

if [[ ! -f "$archive_path" ]]; then
error "Failed to create archive"
Expand Down
Loading