fix(security): remove shell usage from user password setup

Replace shell=True password generation and usermod calls with
argv-based subprocess calls, generate temporary passwords with Python
secrets, and enable Ruff S602 as a static security gate.

Author: I-am-PUID-0

pyproject.toml

@@ -58,7 +58,7 @@ include = ["api/**/*.py", "utils/**/*.py", "tests/**/*.py", "scripts/**/*.py"]
 [tool.ruff.lint]
 # Start with fatal correctness checks that are feasible on the existing tree.
 # Expand this set as legacy style/import/typing issues are cleaned up.
-select = ["E9", "F63", "F7", "F82", "S113"]
+select = ["E9", "F63", "F7", "F82", "S113", "S602"]
 
 [tool.ruff.lint.per-file-ignores]
 "tests/**/*.py" = ["E402"]

tests/test_user_management.py

@@ -0,0 +1,80 @@
+import importlib
+import sys
+import types
+import unittest
+
+
+def _install_stubs():
+    config_loader = types.ModuleType("utils.config_loader")
+    config_loader.CONFIG_MANAGER = types.SimpleNamespace(
+        get=lambda key, default=None: {"puid": 1000, "pgid": 1000}.get(key, default)
+    )
+    sys.modules["utils.config_loader"] = config_loader
+
+    global_logger = types.ModuleType("utils.global_logger")
+    global_logger.logger = types.SimpleNamespace(
+        debug=lambda *args, **kwargs: None,
+        error=lambda *args, **kwargs: None,
+        info=lambda *args, **kwargs: None,
+        warning=lambda *args, **kwargs: None,
+    )
+    sys.modules["utils.global_logger"] = global_logger
+
+
+_install_stubs()
+sys.modules.pop("utils.user_management", None)
+user_management = importlib.import_module("utils.user_management")
+
+
+class UserManagementSecurityTests(unittest.TestCase):
+    def test_hash_user_password_uses_stdin_without_shell(self):
+        calls = []
+
+        def fake_run(*args, **kwargs):
+            calls.append((args, kwargs))
+            return types.SimpleNamespace(stdout="$6$hashed\n")
+
+        original_run = user_management.subprocess.run
+        user_management.subprocess.run = fake_run
+        try:
+            hashed = user_management._hash_user_password("raw-password")
+        finally:
+            user_management.subprocess.run = original_run
+
+        self.assertEqual(hashed, "$6$hashed")
+        self.assertEqual(calls[0][0][0], ["openssl", "passwd", "-6", "-stdin"])
+        self.assertEqual(calls[0][1]["input"], "raw-password")
+        self.assertTrue(calls[0][1]["capture_output"])
+        self.assertTrue(calls[0][1]["text"])
+        self.assertTrue(calls[0][1]["check"])
+        self.assertNotIn("shell", calls[0][1])
+
+    def test_set_user_password_uses_argument_list_without_shell(self):
+        calls = []
+
+        def fake_run(*args, **kwargs):
+            calls.append((args, kwargs))
+            return types.SimpleNamespace(returncode=0)
+
+        original_run = user_management.subprocess.run
+        user_management.subprocess.run = fake_run
+        try:
+            user_management._set_user_password("dumb", "$6$hashed")
+        finally:
+            user_management.subprocess.run = original_run
+
+        self.assertEqual(calls[0][0][0], ["usermod", "-p", "$6$hashed", "dumb"])
+        self.assertTrue(calls[0][1]["check"])
+        self.assertNotIn("shell", calls[0][1])
+
+    def test_generate_user_password_returns_nonempty_random_string(self):
+        first = user_management._generate_user_password()
+        second = user_management._generate_user_password()
+
+        self.assertIsInstance(first, str)
+        self.assertGreaterEqual(len(first), 16)
+        self.assertNotEqual(first, second)
+
+
+if __name__ == "__main__":
+    unittest.main()

utils/user_management.py

@@ -1,12 +1,31 @@
 from utils.config_loader import CONFIG_MANAGER as config
 from utils.global_logger import logger
 from concurrent.futures import ThreadPoolExecutor
-import multiprocessing, os, time, grp, pwd, subprocess, shutil
+import multiprocessing, os, time, grp, pwd, subprocess, shutil, secrets
 
 user_id = config.get("puid")
 group_id = config.get("pgid")
 
 
+def _generate_user_password():
+    return secrets.token_urlsafe(18)
+
+
+def _hash_user_password(user_password):
+    result = subprocess.run(
+        ["openssl", "passwd", "-6", "-stdin"],
+        input=user_password,
+        capture_output=True,
+        text=True,
+        check=True,
+    )
+    return result.stdout.strip()
+
+
+def _set_user_password(username, hashed_password):
+    subprocess.run(["usermod", "-p", hashed_password, username], check=True)
+
+
 def chown_single(path, user_id, group_id):
     try:
         stat_info = os.stat(path)
@@ -244,19 +263,9 @@ def create_system_user(username="DUMB"):
             f"Writing to /etc/passwd took {passwd_write_end - passwd_write_start:.2f} seconds"
         )
 
-        user_password = (
-            subprocess.check_output("openssl rand -base64 12", shell=True)
-            .decode()
-            .strip()
-        )
-        hashed_password = (
-            subprocess.check_output(f"openssl passwd -6 {user_password}", shell=True)
-            .decode()
-            .strip()
-        )
-        subprocess.run(
-            f"usermod -p '{hashed_password}' {username}", shell=True, check=True
-        )
+        user_password = _generate_user_password()
+        hashed_password = _hash_user_password(user_password)
+        _set_user_password(username, hashed_password)
         logger.info(f"Password set for user '{username}'. Stored securely in memory.")
 
         zurg_dir = "/zurg"