🛡️ Sentinel: [HIGH] Fix TOCTOU vulnerability in chmod

.jules/sentinel.md

@@ -31,3 +31,7 @@
 **Vulnerability:** External shell command executed in `listLocalSnapshots()` triggered a deadlock when `tmutil` output exceeded 64KB, because stdout and stderr were read synchronously inside the process termination handler.
 **Learning:** In Swift, reading from a process pipe synchronously inside a `terminationHandler` can result in a permanent deadlock if the child blocks writing to a full pipe, preventing it from exiting.
 **Prevention:** Asynchronously drain pipes continuously while the process is running using background queues.
+## 2024-05-22 - TOCTOU Symlink Vulnerability via chmod
+**Vulnerability:** Calling `chmod()` on a file path directly is susceptible to Time-of-Check to Time-of-Use (TOCTOU) symlink attacks.
+**Learning:** An attacker can replace the target file with a symlink between the check and the `chmod` execution, tricking the application into altering the permissions of an unintended file.
+**Prevention:** Use `open(2)` with the `O_NOFOLLOW` flag to safely obtain a file descriptor without resolving symlinks, and then apply permissions using `fchmod()`.

Sources/Cacheout/Headless/DaemonMode.swift

@@ -966,8 +966,15 @@ public actor DaemonMode: StatusSocket.DataSource {
             return
         }
 
-        // Enforce 0600 permissions
-        chmod(path, 0o600)
+        // Enforce 0600 permissions securely (prevent TOCTOU symlink attacks)
+        URL(fileURLWithPath: path).withUnsafeFileSystemRepresentation { pathPtr in
+            guard let ptr = pathPtr else { return }
+            let fd = open(ptr, O_RDONLY | O_NOFOLLOW | O_CLOEXEC)
+            if fd >= 0 {
+                fchmod(fd, 0o600)
+                close(fd)
+            }
+        }
 
         // Read file
         guard let data = FileManager.default.contents(atPath: path) else {