From f73e44d651513dbe65fc1ce5f4223d7b02b99379 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 26 Feb 2026 04:43:42 +0000 Subject: [PATCH] Fix insecure file permissions in backup-projects.sh - Set chmod 700 on backup and log directories - Use umask 077 when creating zip archives to ensure they are only readable by owner Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com> --- .jules/sentinel.md | 4 ++++ tools/backup-projects.sh | 3 +++ 2 files changed, 7 insertions(+) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..cf3bc43 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2026-02-26 - Insecure Backup Permissions +**Vulnerability:** The backup script `tools/backup-projects.sh` created project archives and log files with default umask permissions (often 644/755), making them readable by other users on the system. +**Learning:** Shell scripts creating sensitive archives often default to system umask, which is usually designed for collaboration, not secrecy. +**Prevention:** Explicitly set `umask 077` in a subshell before running archival commands like `zip` or `tar`, and use `chmod 700` on sensitive directories immediately after creation. diff --git a/tools/backup-projects.sh b/tools/backup-projects.sh index 1b7f6d2..2523472 100755 --- a/tools/backup-projects.sh +++ b/tools/backup-projects.sh @@ -351,7 +351,9 @@ cmd_backup() { # Setup directories if [[ "$DRY_RUN" != true ]]; then mkdir -p "$BACKUP_TEMP_DIR" + chmod 700 "$BACKUP_TEMP_DIR" mkdir -p "$LOG_DIR" + chmod 700 "$LOG_DIR" else debug "Would create: $BACKUP_TEMP_DIR" debug "Would create: $LOG_DIR" @@ -410,6 +412,7 @@ cmd_backup() { exclude_args=$(build_exclude_args) ( + umask 077 cd "$HOME" || exit 1 if [[ "$VERBOSE" == true ]]; then # shellcheck disable=SC2086