🛡️ Sentinel: [HIGH] Fix Local Privilege Escalation / Symlink Attack in apt.sh

[kidchenko]

🚨 Severity: HIGH
💡 Vulnerability: The script tools/os_installers/apt.sh downloaded yq to a hardcoded predictable temporary path (/tmp/yq) and then moved it using elevated privileges (sudo mv). This could be exploited via a symlink attack for local privilege escalation.
🎯 Impact: A malicious local user could pre-create a symlink or executable at /tmp/yq, leading to an attacker-controlled file being placed at /usr/local/bin/yq or local privilege escalation via sudo mv.
🔧 Fix: Replaced hardcoded /tmp/yq path with a securely generated random directory using mktemp -d. This ensures the temporary path is unpredictable and owned securely by the user before executing the elevated move operation.
✅ Verification: Verified that changes pass shellcheck via ./build.sh lint.

Sentinel Journal entry has also been created to document this learning.

---

PR created automatically by Jules for task 5093337245990563626 started by @kidchenko

Summary by CodeRabbit

• Bug Fixes

  • Fixed a local privilege escalation vulnerability in the package installation process by improving temporary file handling security.

• Documentation

  • Added security documentation detailing vulnerability details and mitigation recommendations.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

A security vulnerability in a script using hardcoded temporary paths in sudo operations is documented and remedied. The apt.sh installer is updated to use securely generated temporary directories via mktemp instead of a hardcoded /tmp/yq path, mitigating local privilege escalation risks.

Changes

Cohort / File(s)	Summary
Security Documentation .jules/sentinel.md	New security note documenting vulnerability: hardcoded temporary path (/tmp/yq) in sudo operations poses symlink attack risk; recommends mktemp-based remediation.
Script Security Fix tools/os_installers/apt.sh	Updated yq installation to create temporary directory via mktemp instead of hardcoded /tmp/yq path, then move binary to /usr/local/bin and clean up.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~7 minutes

Poem

🐰 A path once hardcoded, now secure,
mktemp's magic makes symlinks unsure,
/tmp/yq replaced with random delight,
Privilege escalation thwarted outright! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main fix: replacing hardcoded temporary paths to prevent local privilege escalation via symlink attacks in apt.sh. It directly reflects the changeset's primary objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/apt-script-symlink-vuln-5093337245990563626

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.jules/sentinel.md:
- Around line 1-4: Add a top-level H1 (e.g., "# Sentinel") to satisfy MD041,
ensure the existing heading "2024-05-24 - Predictable Temporary File Path in
Sudo Operations" is surrounded by blank lines to satisfy MD022, and wrap/reflow
lines longer than 80 characters (MD013) by splitting the long description and
the Prevention line into shorter sentences or bullet points; keep the reference
to tools/os_installers/apt.sh intact when reflowing so the file path remains
clear.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2cb4949a-2903-429b-9c66-69348c6795c4

📥 Commits

Reviewing files that changed from the base of the PR and between cb5949a and 798d866.

📒 Files selected for processing (2)

• .jules/sentinel.md
• tools/os_installers/apt.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Address markdownlint failures flagged by static analysis.

The linter flags several issues:

• Missing top-level # heading (MD041)
• Heading not surrounded by blank lines (MD022)
• Lines 2-4 exceed the 80-character limit (MD013)

📝 Proposed fix to address lint failures

+# Sentinel Journal
+
 ## 2024-05-24 - Predictable Temporary File Path in Sudo Operations
-**Vulnerability:** The script `tools/os_installers/apt.sh` downloaded `yq` to a hardcoded predictable temporary path (`/tmp/yq`) and then moved it using elevated privileges (`sudo mv`). This could be exploited via a symlink attack for local privilege escalation.
-**Learning:** Hardcoded `/tmp/` files used with elevated privileges expose systems to symlink attacks, a pattern observed in the OS installation scripts.
-**Prevention:** Always use securely generated random directories like `mktemp -d` to stage downloaded files before performing elevated operations.
+
+**Vulnerability:** The script `tools/os_installers/apt.sh` downloaded `yq` to a
+hardcoded predictable temporary path (`/tmp/yq`) and then moved it using
+elevated privileges (`sudo mv`). This could be exploited via a symlink attack
+for local privilege escalation.
+
+**Learning:** Hardcoded `/tmp/` files used with elevated privileges expose
+systems to symlink attacks, a pattern observed in the OS installation scripts.
+
+**Prevention:** Always use securely generated random directories like
+`mktemp -d` to stage downloaded files before performing elevated operations.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	## 2024-05-24 - Predictable Temporary File Path in Sudo Operations
	**Vulnerability:** The script `tools/os_installers/apt.sh` downloaded `yq` to a hardcoded predictable temporary path (`/tmp/yq`) and then moved it using elevated privileges (`sudo mv`). This could be exploited via a symlink attack for local privilege escalation.
	**Learning:** Hardcoded `/tmp/` files used with elevated privileges expose systems to symlink attacks, a pattern observed in the OS installation scripts.
	**Prevention:** Always use securely generated random directories like `mktemp -d` to stage downloaded files before performing elevated operations.
	# Sentinel Journal
	## 2024-05-24 - Predictable Temporary File Path in Sudo Operations
	**Vulnerability:** The script `tools/os_installers/apt.sh` downloaded `yq` to a
	hardcoded predictable temporary path (`/tmp/yq`) and then moved it using
	elevated privileges (`sudo mv`). This could be exploited via a symlink attack
	for local privilege escalation.
	**Learning:** Hardcoded `/tmp/` files used with elevated privileges expose
	systems to symlink attacks, a pattern observed in the OS installation scripts.
	**Prevention:** Always use securely generated random directories like
	`mktemp -d` to stage downloaded files before performing elevated operations.

🧰 Tools

🪛 GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 146] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 153] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 262] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2024-05-24 - Predictable Te..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

---

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2024-05-24 - Predictable Temporary File Path in Sudo Operations"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, Add a top-level H1 (e.g., "#
Sentinel") to satisfy MD041, ensure the existing heading "2024-05-24 -
Predictable Temporary File Path in Sudo Operations" is surrounded by blank lines
to satisfy MD022, and wrap/reflow lines longer than 80 characters (MD013) by
splitting the long description and the Prevention line into shorter sentences or
bullet points; keep the reference to tools/os_installers/apt.sh intact when
reflowing so the file path remains clear.