Skip to content

fix: restrict decrypt output file permissions to 0600#108

Draft
valet-valet-turnkey-dev[bot] wants to merge 1 commit into
mainfrom
fix/eng-2291-decrypt-output-permissions
Draft

fix: restrict decrypt output file permissions to 0600#108
valet-valet-turnkey-dev[bot] wants to merge 1 commit into
mainfrom
fix/eng-2291-decrypt-output-permissions

Conversation

@valet-valet-turnkey-dev

@valet-valet-turnkey-dev valet-valet-turnkey-dev Bot commented Jun 24, 2026

Copy link
Copy Markdown

Summary

Fixes Cure53 audit finding TUR-02-002 (ENG-2291).

Problem

The writeFile() helper in src/cmd/turnkey/pkg/root.go wrote output files with 0644 permissions. This means any user on the system can read files written by the decrypt command, including decrypted private keys and mnemonics.

Fix

Change the permission mode from 0644 to 0600 (owner read/write only). This is the only file-write call site in the CLI; no other permissive modes were found.

References

  • Cure53 audit finding: TUR-02-002
  • Linear: ENG-2291

@mssabr01
fix: restrict decrypt output file permissions to 0600
4904082 
Cure53 audit finding TUR-02-002: the writeFile() helper used by the
decrypt command created output files with 0644 permissions, making
decrypted plaintext (private keys, mnemonics) readable by other users
on the system.

Change the permission mode from 0644 to 0600 (owner read/write only)
so that sensitive output files are not world- or group-readable.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mssabr01