cacheout-app · acebytes · Jun 13, 2026 · chatgpt-codex-connector · Jun 13, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -31,3 +31,7 @@
 **Vulnerability:** External shell command executed in `listLocalSnapshots()` triggered a deadlock when `tmutil` output exceeded 64KB, because stdout and stderr were read synchronously inside the process termination handler.
 **Learning:** In Swift, reading from a process pipe synchronously inside a `terminationHandler` can result in a permanent deadlock if the child blocks writing to a full pipe, preventing it from exiting.
 **Prevention:** Asynchronously drain pipes continuously while the process is running using background queues.
+## 2026-06-13 - TOCTOU Vulnerability in File Creation
+**Vulnerability:** Found insecure file creation using `Data.write(to:)` followed by `FileManager.default.setAttributes()`, creating a Time-Of-Check to Time-Of-Use window where the file is created with global umask permissions before being restricted.
+**Learning:** `Data.write(to:)` creates files using the process's default umask. For privileged daemons, this exposes temporary files to unprivileged users before permissions are tightened.
+**Prevention:** Use POSIX `open()` with `O_CREAT | O_WRONLY | O_EXCL | O_CLOEXEC` flags and explicitly set the target mode (e.g., `0600`), then wrap the returned file descriptor in a `FileHandle`.
diff --git a/Sources/CacheoutHelperLib/SysctlJournal.swift b/Sources/CacheoutHelperLib/SysctlJournal.swift
@@ -307,14 +307,26 @@ public final class SysctlJournal {
         do {
             let data = try PropertyListEncoder().encode(state)
 
-            // Write to temp file (non-atomic — we control the rename ourselves).
-            try data.write(to: tmpURL)
+            // Remove any stale temp file to prevent O_EXCL failure
+            try? FileManager.default.removeItem(at: tmpURL)
 
-            // Set permissions to 0600 (root-only) on temp file before rename.
-            try FileManager.default.setAttributes(
-                [.posixPermissions: 0o600],
-                ofItemAtPath: tmpURL.path
-            )
+            // Write to temp file securely (0600) to prevent TOCTOU access
+            let fd = tmpURL.withUnsafeFileSystemRepresentation { pathPtr -> Int32 in
+                guard let pathPtr = pathPtr else { return -1 }
+                return open(pathPtr, O_CREAT | O_WRONLY | O_EXCL | O_CLOEXEC, 0o600)
+            }
+            guard fd >= 0 else {
+                return false
+            }
+
+            let handle = FileHandle(fileDescriptor: fd, closeOnDealloc: true)
+            if #available(macOS 10.15.4, *) {
+                try handle.write(contentsOf: data)
+                try handle.close()
+            } else {
+                handle.write(data)
+                handle.closeFile()
+            }
 
             // Atomic rename(2) — atomicity on APFS/HFS+.
             if rename(tmpURL.path, url.path) != 0 {