Bug 1647485 - Undocumented (/usr)?/sbin/nologin removal from /etc/shells breaks common vsftpd configuration
Summary: Undocumented (/usr)?/sbin/nologin removal from /etc/shells breaks common vsft...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: Red_Hat_Enterprise_Linux-Release_Notes-7-en-US
Version: 7.6
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Lenka Špačková
QA Contact:
Marie Hornickova
Depends On:
TreeView+ depends on / blocked
Reported: 2018-11-07 15:18 UTC by Robert Scheck
Modified: 2019-03-06 00:58 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
FTP-based logins are unavailable for a common *vsftpd* configuration This update removes the `/sbin/nologin` and `/usr/sbin/nologin` login shells from the `/etc/shells` file due to security reasons. Consequently, when the configuration of the Very Secure File Transfer Protocol Daemon, *vsftpd*, is modified to enable the `chroot_local_user`, FTP logins are impossible. To work around this problem, add `/sbin/nologin` or `/usr/sbin/nologin`, respectively, to the `/etc/shells` file. As a result, a login shell for users that are allowed to use FTP, but not SSH, is available again. However, note that this workaround exposes *vsftpd* to the security risk described at https://access.redhat.com/security/cve/cve-2018-1113.
Clone Of:
Last Closed: 2018-11-16 12:48:09 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Robert Scheck 2018-11-07 15:18:10 UTC
Description of problem:
Before setup-2.8.71-10.el7, (/usr)?/sbin/nologin was part of /etc/shells,
even its removal was requested e.g. via bug #1277219 in the past. However
setup-2.8.71-10.el7 silently removes (/usr)?/sbin/nologin from /etc/shells
without having this documented in "Release Notes for Red Hat Enterprise
Linux 7.6" [1], which is just bad.

Additionally, this undocumented change breaks a common vsftpd setup, as
there can be Linux system users, which shall be allowed to use FTP, but not
SSH. Before this breaking change, /sbin/nologin was the login shell of such
a user, while vsftpd configuration was:

--- snipp ---
--- snapp ---

After this breaking change, FTP logins are no longer possible. Of course it
is a workaround to re-add (/usr)?/sbin/nologin to /etc/shells, but this still
leaves the intentions for this change open (and whether there is any better
solution). Unfortunately, "check_shell=NO" in vsftpd only works for non-PAM
builds, which leaves the question if it's clever to remove pam_shells.so line
in /etc/pam.d/vsftpd instead.

[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.6_release_notes/index

Version-Release number of selected component (if applicable):

How reproducible:
Everytime, see above.

Actual results:
Undocumented change without any explanation or documentation in release

Expected results:
a) Documentation and explanation/justification why this change happened in 
   difference to the rejection of bug #1277219 which requested same already 
b) Documentation of a suitable workaround for vsftpd

Comment 2 Robert Scheck 2018-11-07 15:22:01 UTC
Cross-filed case 02248156 at the Red Hat customer portal.

Comment 4 Kamil Dudka 2018-11-07 15:31:14 UTC
I believe it was documented in the Security Advisory:


Comment 5 Robert Scheck 2018-11-07 15:42:00 UTC
I partially agree to that, because bug #1571104 as mentioned in %changelog
is not public, and the CVE is not mentioned in %changelog either. And as it
is shipped along with RHEL 7.6, a small mentioning (one line?) in release
notes of RHEL 7.6 still would have been appreciated, and likely would have
not hurt.

Anyway, that change (documented or not) still leaves a broken vsftpd setup,
after upgrading to setup-2.8.71-10.el7.

Comment 6 Ondrej Vasik 2018-11-07 16:02:31 UTC
Documentation can be changed post-release, I'll ask docs team to consider change in 7.6 release documentation to document this...

Comment 14 Lenka Špačková 2018-11-16 12:48:09 UTC
Hi Robert,
Thank you very much for your feedback. I agree such changes should be documented. I have added a note to the RHEL 7.6 Release Notes:


Please let me know if you have any other suggestions for improvement.
Thank you!

Comment 15 Roy 2018-11-27 08:27:39 UTC
For a workaround to vsftpd login failures that doesn't expose your system to the cited CVE, and retains the benefits of system user account separation, read from "Virtual users with TLS/SSL/FTPS and a common upload directory - Complicated vsftpd" on https://ubuntuforums.org/showthread.php?t=518293, but implement home directories using the section "System users as a virtual user with non-system password" as a guide.

That has enabled me to have users that keep nologin as their shell, leave it out of /etc/shells, and provide the same FTP access.

Note You need to log in before you can comment on or make changes to this bug.