Skip to content

fix: restrict decrypt output file permissions to 0600#108

Merged
mssabr01 merged 1 commit into
mainfrom
fix/eng-2291-decrypt-output-permissions
Jul 2, 2026
Merged

fix: restrict decrypt output file permissions to 0600#108
mssabr01 merged 1 commit into
mainfrom
fix/eng-2291-decrypt-output-permissions

Conversation

@valet-valet-turnkey-dev

Copy link
Copy Markdown

Summary

Fixes Cure53 audit finding TUR-02-002 (ENG-2291).

Problem

The writeFile() helper in src/cmd/turnkey/pkg/root.go wrote output files with 0644 permissions. This means any user on the system can read files written by the decrypt command, including decrypted private keys and mnemonics.

Fix

Change the permission mode from 0644 to 0600 (owner read/write only). This is the only file-write call site in the CLI; no other permissive modes were found.

References

  • Cure53 audit finding: TUR-02-002
  • Linear: ENG-2291

@mssabr01 mssabr01 marked this pull request as ready for review July 1, 2026 18:27
Cure53 audit finding TUR-02-002: the writeFile() helper used by the
decrypt command created output files with 0644 permissions, making
decrypted plaintext (private keys, mnemonics) readable by other users
on the system.

Change the permission mode from 0644 to 0600 (owner read/write only)
so that sensitive output files are not world- or group-readable.
@mssabr01 mssabr01 force-pushed the fix/eng-2291-decrypt-output-permissions branch from 4904082 to f4a008a Compare July 1, 2026 18:29
@mssabr01 mssabr01 merged commit a445483 into main Jul 2, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants