🛡️ Sentinel: [CRITICAL] Fix TOCTOU vulnerability in file permissions

.jules/sentinel.md

@@ -31,3 +31,7 @@
 **Vulnerability:** External shell command executed in `listLocalSnapshots()` triggered a deadlock when `tmutil` output exceeded 64KB, because stdout and stderr were read synchronously inside the process termination handler.
 **Learning:** In Swift, reading from a process pipe synchronously inside a `terminationHandler` can result in a permanent deadlock if the child blocks writing to a full pipe, preventing it from exiting.
 **Prevention:** Asynchronously drain pipes continuously while the process is running using background queues.
+## 2024-05-24 - TOCTOU Vulnerability via FileManager Attributes
+**Vulnerability:** Found `FileManager.default.setAttributes` used to set permissions on directories and files, exposing a Time-of-Check to Time-of-Use (TOCTOU) symlink vulnerability.
+**Learning:** `FileManager.default.setAttributes` internally calls `chmod`, which follows symlinks. An attacker can swap the target with a symlink between creation and permission setting, potentially granting elevated privileges to unintended files.
+**Prevention:** Avoid `FileManager.default.setAttributes` when hardening file or directory permissions. Instead, securely obtain a file descriptor using `open()` with `O_NOFOLLOW` (and `O_CLOEXEC`), and then apply permissions using `fchmod()`.

Sources/Cacheout/Headless/DaemonMode.swift

@@ -295,10 +295,19 @@ public actor DaemonMode: StatusSocket.DataSource {
                 withIntermediateDirectories: true,
                 attributes: [.posixPermissions: 0o700]
             )
-            try FileManager.default.setAttributes(
-                [.posixPermissions: 0o700],
-                ofItemAtPath: config.stateDir.path
-            )
+
+            // Safely set directory permissions using open(2) and fchmod(2)
+            // to prevent TOCTOU symlink attacks.
+            let success = config.stateDir.withUnsafeFileSystemRepresentation { pathPtr -> Bool in
+                guard let ptr = pathPtr else { return false }
+                let fd = open(ptr, O_RDONLY | O_NOFOLLOW | O_CLOEXEC)
+                guard fd >= 0 else { return false }
+                defer { close(fd) }
+                return fchmod(fd, S_IRWXU) == 0
+            }
+            if !success {
+                throw NSError(domain: NSPOSIXErrorDomain, code: Int(errno), userInfo: nil)
+            }
         } catch {
             logger.error("Failed to create/secure state directory: \(error.localizedDescription, privacy: .public)")
             Foundation.exit(1)

Sources/Cacheout/Headless/StatusSocket.swift

@@ -109,7 +109,19 @@ public final class StatusSocket: @unchecked Sendable {
         try FileManager.default.createDirectory(atPath: dir, withIntermediateDirectories: true, attributes: [
             .posixPermissions: 0o700
         ])
-        try FileManager.default.setAttributes([.posixPermissions: 0o700], ofItemAtPath: dir)
+
+        // Safely set directory permissions using open(2) and fchmod(2)
+        // to prevent TOCTOU symlink attacks where an attacker swaps the directory.
+        let success = URL(fileURLWithPath: dir).withUnsafeFileSystemRepresentation { pathPtr -> Bool in
+            guard let ptr = pathPtr else { return false }
+            let fd = open(ptr, O_RDONLY | O_NOFOLLOW | O_CLOEXEC)
+            guard fd >= 0 else { return false }
+            defer { close(fd) }
+            return fchmod(fd, S_IRWXU) == 0
+        }
+        if !success {
+            throw StatusSocketError.socketCreationFailed(errno)
+        }
 
         // Remove stale socket if present
         unlink(socketPath)
@@ -157,6 +169,8 @@ public final class StatusSocket: @unchecked Sendable {
         }
 
         // Verify socket permissions are 0600
+        // (Note: The parent directory is strictly 0700, protecting against symlink planting.
+        // We cannot use open(2) on a socket file on macOS, so we rely on umask and chmod).
         do {
             let attrs = try FileManager.default.attributesOfItem(atPath: socketPath)
             if let perms = attrs[.posixPermissions] as? Int, perms != 0o600 {

Sources/CacheoutHelperLib/SysctlJournal.swift

@@ -307,14 +307,22 @@ public final class SysctlJournal {
         do {
             let data = try PropertyListEncoder().encode(state)
 
-            // Write to temp file (non-atomic — we control the rename ourselves).
-            try data.write(to: tmpURL)
-
-            // Set permissions to 0600 (root-only) on temp file before rename.
-            try FileManager.default.setAttributes(
-                [.posixPermissions: 0o600],
-                ofItemAtPath: tmpURL.path
-            )
+            // Write to temp file securely using open(2) with O_CREAT and 0600 permissions
+            // to avoid TOCTOU vulnerability where file is briefly accessible before chmod.
+            let success = tmpURL.withUnsafeFileSystemRepresentation { pathPtr -> Bool in
+                guard let ptr = pathPtr else { return false }
+                let fd = open(ptr, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR)
+                guard fd >= 0 else { return false }
+                let bytesWritten = data.withUnsafeBytes { buffer in
+                    write(fd, buffer.baseAddress, buffer.count)
+                }
+                close(fd)
+                return bytesWritten == data.count
+            }
+            guard success else {
+                try? FileManager.default.removeItem(at: tmpURL)
+                throw NSError(domain: NSPOSIXErrorDomain, code: Int(errno), userInfo: nil)
+            }
 
             // Atomic rename(2) — atomicity on APFS/HFS+.
             if rename(tmpURL.path, url.path) != 0 {