RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1647485 - Undocumented (/usr)?/sbin/nologin removal from /etc/shells breaks common vsftpd configuration
Summary: Undocumented (/usr)?/sbin/nologin removal from /etc/shells breaks common vsft...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: Red_Hat_Enterprise_Linux-Release_Notes-7-en-US
Version: 7.6
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Lenka Špačková
QA Contact:
Marie Hornickova
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-07 15:18 UTC by Robert Scheck
Modified: 2022-03-13 15:59 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
FTP-based logins are unavailable for a common *vsftpd* configuration This update removes the `/sbin/nologin` and `/usr/sbin/nologin` login shells from the `/etc/shells` file due to security reasons. Consequently, when the configuration of the Very Secure File Transfer Protocol Daemon, *vsftpd*, is modified to enable the `chroot_local_user`, FTP logins are impossible. To work around this problem, add `/sbin/nologin` or `/usr/sbin/nologin`, respectively, to the `/etc/shells` file. As a result, a login shell for users that are allowed to use FTP, but not SSH, is available again. However, note that this workaround exposes *vsftpd* to the security risk described at https://access.redhat.com/security/cve/cve-2018-1113.
Clone Of:
Environment:
Last Closed: 2018-11-16 12:48:09 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Robert Scheck 2018-11-07 15:18:10 UTC 
Description of problem:
Before setup-2.8.71-10.el7, (/usr)?/sbin/nologin was part of /etc/shells,
even its removal was requested e.g. via bug #1277219 in the past. However
setup-2.8.71-10.el7 silently removes (/usr)?/sbin/nologin from /etc/shells
without having this documented in "Release Notes for Red Hat Enterprise
Linux 7.6" [1], which is just bad.

Additionally, this undocumented change breaks a common vsftpd setup, as
there can be Linux system users, which shall be allowed to use FTP, but not
SSH. Before this breaking change, /sbin/nologin was the login shell of such
a user, while vsftpd configuration was:

--- snipp ---
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
use_localtime=YES
chroot_local_user=YES
allow_writeable_chroot=YES
--- snapp ---

After this breaking change, FTP logins are no longer possible. Of course it
is a workaround to re-add (/usr)?/sbin/nologin to /etc/shells, but this still
leaves the intentions for this change open (and whether there is any better
solution). Unfortunately, "check_shell=NO" in vsftpd only works for non-PAM
builds, which leaves the question if it's clever to remove pam_shells.so line
in /etc/pam.d/vsftpd instead.

[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.6_release_notes/index

Version-Release number of selected component (if applicable):
setup-2.8.71-9.el7
setup-2.8.71-10.el7

How reproducible:
Everytime, see above.

Actual results:
Undocumented change without any explanation or documentation in release
notes.

Expected results:
a) Documentation and explanation/justification why this change happened in 
   difference to the rejection of bug #1277219 which requested same already 
   earlier.
b) Documentation of a suitable workaround for vsftpd
Comment 2 Robert Scheck 2018-11-07 15:22:01 UTC 
Cross-filed case 02248156 at the Red Hat customer portal.
Comment 4 Kamil Dudka 2018-11-07 15:31:14 UTC 
I believe it was documented in the Security Advisory:

https://access.redhat.com/errata/RHSA-2018:3249
Comment 5 Robert Scheck 2018-11-07 15:42:00 UTC 
I partially agree to that, because bug #1571104 as mentioned in %changelog
is not public, and the CVE is not mentioned in %changelog either. And as it
is shipped along with RHEL 7.6, a small mentioning (one line?) in release
notes of RHEL 7.6 still would have been appreciated, and likely would have
not hurt.

Anyway, that change (documented or not) still leaves a broken vsftpd setup,
after upgrading to setup-2.8.71-10.el7.
Comment 6 Ondrej Vasik 2018-11-07 16:02:31 UTC 
Documentation can be changed post-release, I'll ask docs team to consider change in 7.6 release documentation to document this...
Comment 14 Lenka Špačková 2018-11-16 12:48:09 UTC 
Hi Robert,
Thank you very much for your feedback. I agree such changes should be documented. I have added a note to the RHEL 7.6 Release Notes:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/known_issues_servers_and_services#BZ1647485

Please let me know if you have any other suggestions for improvement.
Thank you!
Comment 15 Roy 2018-11-27 08:27:39 UTC 
For a workaround to vsftpd login failures that doesn't expose your system to the cited CVE, and retains the benefits of system user account separation, read from "Virtual users with TLS/SSL/FTPS and a common upload directory - Complicated vsftpd" on https://ubuntuforums.org/showthread.php?t=518293, but implement home directories using the section "System users as a virtual user with non-system password" as a guide.

That has enabled me to have users that keep nologin as their shell, leave it out of /etc/shells, and provide the same FTP access.
Note You need to log in before you can comment on or make changes to this bug.