FTP-based logins are unavailable for a common *vsftpd* configuration
This update removes the `/sbin/nologin` and `/usr/sbin/nologin` login shells from the `/etc/shells` file due to security reasons. Consequently, when the configuration of the Very Secure File Transfer Protocol Daemon, *vsftpd*, is modified to enable the `chroot_local_user`, FTP logins are impossible.
To work around this problem, add `/sbin/nologin` or `/usr/sbin/nologin`, respectively, to the `/etc/shells` file. As a result, a login shell for users that are allowed to use FTP, but not SSH, is available again. However, note that this workaround exposes *vsftpd* to the security risk described at https://access.redhat.com/security/cve/cve-2018-1113.
Description of problem:
Before setup-2.8.71-10.el7, (/usr)?/sbin/nologin was part of /etc/shells,
even its removal was requested e.g. via bug #1277219 in the past. However
setup-2.8.71-10.el7 silently removes (/usr)?/sbin/nologin from /etc/shells
without having this documented in "Release Notes for Red Hat Enterprise
Linux 7.6" , which is just bad.
Additionally, this undocumented change breaks a common vsftpd setup, as
there can be Linux system users, which shall be allowed to use FTP, but not
SSH. Before this breaking change, /sbin/nologin was the login shell of such
a user, while vsftpd configuration was:
--- snipp ---
--- snapp ---
After this breaking change, FTP logins are no longer possible. Of course it
is a workaround to re-add (/usr)?/sbin/nologin to /etc/shells, but this still
leaves the intentions for this change open (and whether there is any better
solution). Unfortunately, "check_shell=NO" in vsftpd only works for non-PAM
builds, which leaves the question if it's clever to remove pam_shells.so line
in /etc/pam.d/vsftpd instead.
Version-Release number of selected component (if applicable):
Everytime, see above.
Undocumented change without any explanation or documentation in release
a) Documentation and explanation/justification why this change happened in
difference to the rejection of bug #1277219 which requested same already
b) Documentation of a suitable workaround for vsftpd
Cross-filed case 02248156 at the Red Hat customer portal.
I believe it was documented in the Security Advisory:
I partially agree to that, because bug #1571104 as mentioned in %changelog
is not public, and the CVE is not mentioned in %changelog either. And as it
is shipped along with RHEL 7.6, a small mentioning (one line?) in release
notes of RHEL 7.6 still would have been appreciated, and likely would have
Anyway, that change (documented or not) still leaves a broken vsftpd setup,
after upgrading to setup-2.8.71-10.el7.
Documentation can be changed post-release, I'll ask docs team to consider change in 7.6 release documentation to document this...
Thank you very much for your feedback. I agree such changes should be documented. I have added a note to the RHEL 7.6 Release Notes:
Please let me know if you have any other suggestions for improvement.
For a workaround to vsftpd login failures that doesn't expose your system to the cited CVE, and retains the benefits of system user account separation, read from "Virtual users with TLS/SSL/FTPS and a common upload directory - Complicated vsftpd" on https://ubuntuforums.org/showthread.php?t=518293, but implement home directories using the section "System users as a virtual user with non-system password" as a guide.
That has enabled me to have users that keep nologin as their shell, leave it out of /etc/shells, and provide the same FTP access.