Bug 1647485 - Undocumented (/usr)?/sbin/nologin removal from /etc/shells breaks common vsftpd configuration
Summary: Undocumented (/usr)?/sbin/nologin removal from /etc/shells breaks common vsft...
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: Red_Hat_Enterprise_Linux-Release_Notes-7-en-US
Version: 7.6
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Lenka Špačková
QA Contact:
Marie Dolezelova
URL:
Whiteboard:
Keywords: Documentation, Regression
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-07 15:18 UTC by Robert Scheck
Modified: 2019-03-06 00:58 UTC (History)
7 users (show)

(edit)
FTP-based logins are unavailable for a common *vsftpd* configuration

This update removes the `/sbin/nologin` and `/usr/sbin/nologin` login shells from the `/etc/shells` file due to security reasons. Consequently, when the configuration of the Very Secure File Transfer Protocol Daemon, *vsftpd*, is modified to enable the `chroot_local_user`, FTP logins are impossible. 

To work around this problem, add `/sbin/nologin` or `/usr/sbin/nologin`, respectively, to the `/etc/shells` file. As a result, a login shell for users that are allowed to use FTP, but not SSH, is available again. However, note that this workaround exposes *vsftpd* to the security risk described at https://access.redhat.com/security/cve/cve-2018-1113.
Clone Of:
(edit)
Last Closed: 2018-11-16 12:48:09 UTC


Attachments (Terms of Use)

Description Robert Scheck 2018-11-07 15:18:10 UTC
Description of problem:
Before setup-2.8.71-10.el7, (/usr)?/sbin/nologin was part of /etc/shells,
even its removal was requested e.g. via bug #1277219 in the past. However
setup-2.8.71-10.el7 silently removes (/usr)?/sbin/nologin from /etc/shells
without having this documented in "Release Notes for Red Hat Enterprise
Linux 7.6" [1], which is just bad.

Additionally, this undocumented change breaks a common vsftpd setup, as
there can be Linux system users, which shall be allowed to use FTP, but not
SSH. Before this breaking change, /sbin/nologin was the login shell of such
a user, while vsftpd configuration was:

--- snipp ---
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
use_localtime=YES
chroot_local_user=YES
allow_writeable_chroot=YES
--- snapp ---

After this breaking change, FTP logins are no longer possible. Of course it
is a workaround to re-add (/usr)?/sbin/nologin to /etc/shells, but this still
leaves the intentions for this change open (and whether there is any better
solution). Unfortunately, "check_shell=NO" in vsftpd only works for non-PAM
builds, which leaves the question if it's clever to remove pam_shells.so line
in /etc/pam.d/vsftpd instead.

[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.6_release_notes/index

Version-Release number of selected component (if applicable):
setup-2.8.71-9.el7
setup-2.8.71-10.el7

How reproducible:
Everytime, see above.

Actual results:
Undocumented change without any explanation or documentation in release
notes.

Expected results:
a) Documentation and explanation/justification why this change happened in 
   difference to the rejection of bug #1277219 which requested same already 
   earlier.
b) Documentation of a suitable workaround for vsftpd

Comment 2 Robert Scheck 2018-11-07 15:22:01 UTC
Cross-filed case 02248156 at the Red Hat customer portal.

Comment 4 Kamil Dudka 2018-11-07 15:31:14 UTC
I believe it was documented in the Security Advisory:

https://access.redhat.com/errata/RHSA-2018:3249

Comment 5 Robert Scheck 2018-11-07 15:42:00 UTC
I partially agree to that, because bug #1571104 as mentioned in %changelog
is not public, and the CVE is not mentioned in %changelog either. And as it
is shipped along with RHEL 7.6, a small mentioning (one line?) in release
notes of RHEL 7.6 still would have been appreciated, and likely would have
not hurt.

Anyway, that change (documented or not) still leaves a broken vsftpd setup,
after upgrading to setup-2.8.71-10.el7.

Comment 6 Ondrej Vasik 2018-11-07 16:02:31 UTC
Documentation can be changed post-release, I'll ask docs team to consider change in 7.6 release documentation to document this...

Comment 14 Lenka Špačková 2018-11-16 12:48:09 UTC
Hi Robert,
Thank you very much for your feedback. I agree such changes should be documented. I have added a note to the RHEL 7.6 Release Notes:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/known_issues_servers_and_services#BZ1647485

Please let me know if you have any other suggestions for improvement.
Thank you!

Comment 15 Roy 2018-11-27 08:27:39 UTC
For a workaround to vsftpd login failures that doesn't expose your system to the cited CVE, and retains the benefits of system user account separation, read from "Virtual users with TLS/SSL/FTPS and a common upload directory - Complicated vsftpd" on https://ubuntuforums.org/showthread.php?t=518293, but implement home directories using the section "System users as a virtual user with non-system password" as a guide.

That has enabled me to have users that keep nologin as their shell, leave it out of /etc/shells, and provide the same FTP access.


Note You need to log in before you can comment on or make changes to this bug.