Bug 1647485
Summary: | Undocumented (/usr)?/sbin/nologin removal from /etc/shells breaks common vsftpd configuration | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Robert Scheck <redhat-bugzilla> |
Component: | Red_Hat_Enterprise_Linux-Release_Notes-7-en-US | Assignee: | Lenka Špačková <lkuprova> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | high | Docs Contact: | Marie Hornickova <mdolezel> |
Priority: | unspecified | ||
Version: | 7.6 | CC: | kdudka, lkuprova, ovasik, pasik, rhel-docs, robert.scheck, roy-orbison |
Target Milestone: | rc | Keywords: | Documentation, Regression |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Known Issue | |
Doc Text: |
FTP-based logins are unavailable for a common *vsftpd* configuration
This update removes the `/sbin/nologin` and `/usr/sbin/nologin` login shells from the `/etc/shells` file due to security reasons. Consequently, when the configuration of the Very Secure File Transfer Protocol Daemon, *vsftpd*, is modified to enable the `chroot_local_user`, FTP logins are impossible.
To work around this problem, add `/sbin/nologin` or `/usr/sbin/nologin`, respectively, to the `/etc/shells` file. As a result, a login shell for users that are allowed to use FTP, but not SSH, is available again. However, note that this workaround exposes *vsftpd* to the security risk described at https://access.redhat.com/security/cve/cve-2018-1113.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-11-16 12:48:09 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Robert Scheck
2018-11-07 15:18:10 UTC
Cross-filed case 02248156 at the Red Hat customer portal. I believe it was documented in the Security Advisory: https://access.redhat.com/errata/RHSA-2018:3249 I partially agree to that, because bug #1571104 as mentioned in %changelog is not public, and the CVE is not mentioned in %changelog either. And as it is shipped along with RHEL 7.6, a small mentioning (one line?) in release notes of RHEL 7.6 still would have been appreciated, and likely would have not hurt. Anyway, that change (documented or not) still leaves a broken vsftpd setup, after upgrading to setup-2.8.71-10.el7. Documentation can be changed post-release, I'll ask docs team to consider change in 7.6 release documentation to document this... Hi Robert, Thank you very much for your feedback. I agree such changes should be documented. I have added a note to the RHEL 7.6 Release Notes: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/known_issues_servers_and_services#BZ1647485 Please let me know if you have any other suggestions for improvement. Thank you! For a workaround to vsftpd login failures that doesn't expose your system to the cited CVE, and retains the benefits of system user account separation, read from "Virtual users with TLS/SSL/FTPS and a common upload directory - Complicated vsftpd" on https://ubuntuforums.org/showthread.php?t=518293, but implement home directories using the section "System users as a virtual user with non-system password" as a guide. That has enabled me to have users that keep nologin as their shell, leave it out of /etc/shells, and provide the same FTP access. |