Bug 1647485

Summary: Undocumented (/usr)?/sbin/nologin removal from /etc/shells breaks common vsftpd configuration
Product: Red Hat Enterprise Linux 7 Reporter: Robert Scheck <redhat-bugzilla>
Component: Red_Hat_Enterprise_Linux-Release_Notes-7-en-USAssignee: Lenka Špačková <lkuprova>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact: Marie Hornickova <mdolezel>
Priority: unspecified    
Version: 7.6CC: kdudka, lkuprova, ovasik, pasik, rhel-docs, robert.scheck, roy-orbison
Target Milestone: rcKeywords: Documentation, Regression
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
FTP-based logins are unavailable for a common *vsftpd* configuration This update removes the `/sbin/nologin` and `/usr/sbin/nologin` login shells from the `/etc/shells` file due to security reasons. Consequently, when the configuration of the Very Secure File Transfer Protocol Daemon, *vsftpd*, is modified to enable the `chroot_local_user`, FTP logins are impossible. To work around this problem, add `/sbin/nologin` or `/usr/sbin/nologin`, respectively, to the `/etc/shells` file. As a result, a login shell for users that are allowed to use FTP, but not SSH, is available again. However, note that this workaround exposes *vsftpd* to the security risk described at https://access.redhat.com/security/cve/cve-2018-1113.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-16 12:48:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Scheck 2018-11-07 15:18:10 UTC 
Description of problem:
Before setup-2.8.71-10.el7, (/usr)?/sbin/nologin was part of /etc/shells,
even its removal was requested e.g. via bug #1277219 in the past. However
setup-2.8.71-10.el7 silently removes (/usr)?/sbin/nologin from /etc/shells
without having this documented in "Release Notes for Red Hat Enterprise
Linux 7.6" [1], which is just bad.

Additionally, this undocumented change breaks a common vsftpd setup, as
there can be Linux system users, which shall be allowed to use FTP, but not
SSH. Before this breaking change, /sbin/nologin was the login shell of such
a user, while vsftpd configuration was:

--- snipp ---
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
use_localtime=YES
chroot_local_user=YES
allow_writeable_chroot=YES
--- snapp ---

After this breaking change, FTP logins are no longer possible. Of course it
is a workaround to re-add (/usr)?/sbin/nologin to /etc/shells, but this still
leaves the intentions for this change open (and whether there is any better
solution). Unfortunately, "check_shell=NO" in vsftpd only works for non-PAM
builds, which leaves the question if it's clever to remove pam_shells.so line
in /etc/pam.d/vsftpd instead.

[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.6_release_notes/index

Version-Release number of selected component (if applicable):
setup-2.8.71-9.el7
setup-2.8.71-10.el7

How reproducible:
Everytime, see above.

Actual results:
Undocumented change without any explanation or documentation in release
notes.

Expected results:
a) Documentation and explanation/justification why this change happened in 
   difference to the rejection of bug #1277219 which requested same already 
   earlier.
b) Documentation of a suitable workaround for vsftpd
Comment 2 Robert Scheck 2018-11-07 15:22:01 UTC 
Cross-filed case 02248156 at the Red Hat customer portal.
Comment 4 Kamil Dudka 2018-11-07 15:31:14 UTC 
I believe it was documented in the Security Advisory:

https://access.redhat.com/errata/RHSA-2018:3249
Comment 5 Robert Scheck 2018-11-07 15:42:00 UTC 
I partially agree to that, because bug #1571104 as mentioned in %changelog
is not public, and the CVE is not mentioned in %changelog either. And as it
is shipped along with RHEL 7.6, a small mentioning (one line?) in release
notes of RHEL 7.6 still would have been appreciated, and likely would have
not hurt.

Anyway, that change (documented or not) still leaves a broken vsftpd setup,
after upgrading to setup-2.8.71-10.el7.
Comment 6 Ondrej Vasik 2018-11-07 16:02:31 UTC 
Documentation can be changed post-release, I'll ask docs team to consider change in 7.6 release documentation to document this...
Comment 14 Lenka Špačková 2018-11-16 12:48:09 UTC 
Hi Robert,
Thank you very much for your feedback. I agree such changes should be documented. I have added a note to the RHEL 7.6 Release Notes:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/known_issues_servers_and_services#BZ1647485

Please let me know if you have any other suggestions for improvement.
Thank you!
Comment 15 Roy 2018-11-27 08:27:39 UTC 
For a workaround to vsftpd login failures that doesn't expose your system to the cited CVE, and retains the benefits of system user account separation, read from "Virtual users with TLS/SSL/FTPS and a common upload directory - Complicated vsftpd" on https://ubuntuforums.org/showthread.php?t=518293, but implement home directories using the section "System users as a virtual user with non-system password" as a guide.

That has enabled me to have users that keep nologin as their shell, leave it out of /etc/shells, and provide the same FTP access.