Skip to content

🛡️ Sentinel: [CRITICAL] Fix symlink attack vulnerability in apt installer #56

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kidchenko wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🛡️ Sentinel: [CRITICAL] Fix symlink attack vulnerability in apt installer #56

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2026-03-12 - Prevent Symlink Attacks in Package Installers

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

First line in a file should be a top-level heading 

.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2026-03-12 - Prevent Symlin..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Headings should be surrounded by blank lines 

.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2026-03-12 - Prevent Symlink Attacks in Package Installers"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md
**Vulnerability:** Hardcoded, predictable temporary file paths (e.g., `/tmp/yq`) used prior to `sudo mv` operations for binary installation.

Check failure on line 2 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 140] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Learning:** Malicious local users can create symlinks at predictable `/tmp` locations before an installation script executes. When the elevated script (using `sudo`) writes to or moves from these predictable paths, it can be exploited to overwrite critical system files, leading to privilege escalation or denial of service.

Check failure on line 3 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 326] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Prevention:** Always use `mktemp -d` to create secure, unpredictable temporary directories for downloading or processing files, especially when running with elevated privileges or performing cross-user operations.

Check failure on line 4 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 215] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
Comment on lines +1 to +4
Copy link

@coderabbitai coderabbitai bot Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix the markdownlint failures in this note.

This file currently fails MD041, MD022, and MD013, so the documentation check will stay red until the heading is promoted to H1 and the paragraphs are wrapped.

Proposed fix 
-## 2026-03-12 - Prevent Symlink Attacks in Package Installers
-**Vulnerability:** Hardcoded, predictable temporary file paths (e.g., `/tmp/yq`) used prior to `sudo mv` operations for binary installation.
-**Learning:** Malicious local users can create symlinks at predictable `/tmp` locations before an installation script executes. When the elevated script (using `sudo`) writes to or moves from these predictable paths, it can be exploited to overwrite critical system files, leading to privilege escalation or denial of service.
-**Prevention:** Always use `mktemp -d` to create secure, unpredictable temporary directories for downloading or processing files, especially when running with elevated privileges or performing cross-user operations.
+# 2026-03-12 - Prevent Symlink Attacks in Package Installers
+
+**Vulnerability:** Hardcoded, predictable temporary file paths
+(e.g., `/tmp/yq`) used before `sudo mv` operations for binary installation.
+
+**Learning:** Malicious local users can create symlinks at predictable
+`/tmp` locations before an installation script executes. When the elevated
+script uses those paths, it can overwrite critical system files, leading to
+privilege escalation or denial of service.
+
+**Prevention:** Always use `mktemp -d` to create secure, unpredictable
+temporary directories for downloading or processing files, especially when
+running with elevated privileges or performing cross-user operations.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## 2026-03-12 - Prevent Symlink Attacks in Package Installers
**Vulnerability:** Hardcoded, predictable temporary file paths (e.g., `/tmp/yq`) used prior to `sudo mv` operations for binary installation.
**Learning:** Malicious local users can create symlinks at predictable `/tmp` locations before an installation script executes. When the elevated script (using `sudo`) writes to or moves from these predictable paths, it can be exploited to overwrite critical system files, leading to privilege escalation or denial of service.
**Prevention:** Always use `mktemp -d` to create secure, unpredictable temporary directories for downloading or processing files, especially when running with elevated privileges or performing cross-user operations.
# 2026-03-12 - Prevent Symlink Attacks in Package Installers
**Vulnerability:** Hardcoded, predictable temporary file paths
(e.g., `/tmp/yq`) used before `sudo mv` operations for binary installation.
**Learning:** Malicious local users can create symlinks at predictable
`/tmp` locations before an installation script executes. When the elevated
script uses those paths, it can overwrite critical system files, leading to
privilege escalation or denial of service.
**Prevention:** Always use `mktemp -d` to create secure, unpredictable
temporary directories for downloading or processing files, especially when
running with elevated privileges or performing cross-user operations.
🧰 Tools
🪛 GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 215] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 326] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 140] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2026-03-12 - Prevent Symlin..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2026-03-12 - Prevent Symlink Attacks in Package Installers"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🪛 LanguageTool

[style] ~2-~2: ‘prior to’ might be wordy. Consider a shorter alternative.
Context: ...orary file paths (e.g., /tmp/yq) used prior to sudo mv operations for binary install...

(EN_WORDINESS_PREMIUM_PRIOR_TO)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, Promote the heading "2026-03-12 -
Prevent Symlink Attacks in Package Installers" from H2 to H1 (change "##" to
"#") to satisfy MD041; then fix MD022/MD013 by wrapping long paragraph lines to
a reasonable width (≤80 chars), removing or consolidating extra blank lines so
there are no multiple consecutive blank lines, and ensure the <details> block
and its summary maintain single blank lines around them and wrapped content;
edit the markdown accordingly to eliminate MD041, MD022, and MD013 failures.

6 changes: 4 additions & 2 deletions tools/os_installers/apt.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,9 +231,11 @@ fi
echo "Installing yq..."
if ! command -v yq &> /dev/null; then
YQ_VERSION="v4.44.6"
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
sudo mv /tmp/yq /usr/local/bin/yq
TMP_DIR=$(mktemp -d)
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
sudo chmod +x /usr/local/bin/yq
rm -rf "$TMP_DIR"
fi

# Install lsd (LSDeluxe)
Expand Down
Loading