Skip to content

πŸ›‘οΈ Sentinel: [HIGH] Fix Local Privilege Escalation / Symlink Attack in apt.sh #54

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kidchenko wants to merge 1 commit into
base: main
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [HIGH] Fix Local Privilege Escalation / Symlink Attack in apt.sh #54

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2024-05-24 - Predictable Temporary File Path in Sudo Operations

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

First line in a file should be a top-level heading 

.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2024-05-24 - Predictable Te..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Headings should be surrounded by blank lines 

.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2024-05-24 - Predictable Temporary File Path in Sudo Operations"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md
**Vulnerability:** The script `tools/os_installers/apt.sh` downloaded `yq` to a hardcoded predictable temporary path (`/tmp/yq`) and then moved it using elevated privileges (`sudo mv`). This could be exploited via a symlink attack for local privilege escalation.

Check failure on line 2 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 262] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Learning:** Hardcoded `/tmp/` files used with elevated privileges expose systems to symlink attacks, a pattern observed in the OS installation scripts.

Check failure on line 3 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 153] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Prevention:** Always use securely generated random directories like `mktemp -d` to stage downloaded files before performing elevated operations.

Check failure on line 4 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 146] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
Comment on lines +1 to +4
Copy link

@coderabbitai coderabbitai bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟑 Minor

Address markdownlint failures flagged by static analysis.

The linter flags several issues:

  • Missing top-level # heading (MD041)
  • Heading not surrounded by blank lines (MD022)
  • Lines 2-4 exceed the 80-character limit (MD013)
πŸ“ Proposed fix to address lint failures 
+# Sentinel Journal
+
 ## 2024-05-24 - Predictable Temporary File Path in Sudo Operations
-**Vulnerability:** The script `tools/os_installers/apt.sh` downloaded `yq` to a hardcoded predictable temporary path (`/tmp/yq`) and then moved it using elevated privileges (`sudo mv`). This could be exploited via a symlink attack for local privilege escalation.
-**Learning:** Hardcoded `/tmp/` files used with elevated privileges expose systems to symlink attacks, a pattern observed in the OS installation scripts.
-**Prevention:** Always use securely generated random directories like `mktemp -d` to stage downloaded files before performing elevated operations.
+
+**Vulnerability:** The script `tools/os_installers/apt.sh` downloaded `yq` to a
+hardcoded predictable temporary path (`/tmp/yq`) and then moved it using
+elevated privileges (`sudo mv`). This could be exploited via a symlink attack
+for local privilege escalation.
+
+**Learning:** Hardcoded `/tmp/` files used with elevated privileges expose
+systems to symlink attacks, a pattern observed in the OS installation scripts.
+
+**Prevention:** Always use securely generated random directories like
+`mktemp -d` to stage downloaded files before performing elevated operations.
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## 2024-05-24 - Predictable Temporary File Path in Sudo Operations
**Vulnerability:** The script `tools/os_installers/apt.sh` downloaded `yq` to a hardcoded predictable temporary path (`/tmp/yq`) and then moved it using elevated privileges (`sudo mv`). This could be exploited via a symlink attack for local privilege escalation.
**Learning:** Hardcoded `/tmp/` files used with elevated privileges expose systems to symlink attacks, a pattern observed in the OS installation scripts.
**Prevention:** Always use securely generated random directories like `mktemp -d` to stage downloaded files before performing elevated operations.
# Sentinel Journal
## 2024-05-24 - Predictable Temporary File Path in Sudo Operations
**Vulnerability:** The script `tools/os_installers/apt.sh` downloaded `yq` to a
hardcoded predictable temporary path (`/tmp/yq`) and then moved it using
elevated privileges (`sudo mv`). This could be exploited via a symlink attack
for local privilege escalation.
**Learning:** Hardcoded `/tmp/` files used with elevated privileges expose
systems to symlink attacks, a pattern observed in the OS installation scripts.
**Prevention:** Always use securely generated random directories like
`mktemp -d` to stage downloaded files before performing elevated operations.
🧰 Tools
πŸͺ› GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 146] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 153] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 262] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2024-05-24 - Predictable Te..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2024-05-24 - Predictable Temporary File Path in Sudo Operations"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, Add a top-level H1 (e.g., "#
Sentinel") to satisfy MD041, ensure the existing heading "2024-05-24 -
Predictable Temporary File Path in Sudo Operations" is surrounded by blank lines
to satisfy MD022, and wrap/reflow lines longer than 80 characters (MD013) by
splitting the long description and the Prevention line into shorter sentences or
bullet points; keep the reference to tools/os_installers/apt.sh intact when
reflowing so the file path remains clear.

6 changes: 4 additions & 2 deletions tools/os_installers/apt.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,8 +231,10 @@ fi
echo "Installing yq..."
if ! command -v yq &> /dev/null; then
YQ_VERSION="v4.44.6"
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
sudo mv /tmp/yq /usr/local/bin/yq
TMP_DIR=$(mktemp -d)
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
rm -rf "$TMP_DIR"
sudo chmod +x /usr/local/bin/yq
fi

Expand Down
Loading