On Thu, 10 Jan 2019 at 16:09, Kenneth Porter <shiva at sewingwitch.com> wrote:> I updated to CentOS 7.6 and something must have changed in the base OS > setup that prevents vsftpd from allowing logins for accounts with > /sbin/nologin as their shell. I had to add that to /etc/shells so that > such > accounts could FTP again. That file is in the setup package. Did it > include > /sbin/nologin before? I don't have anything in my notes from setting up > the > system last year about changing that. What's the history of shells listed > in /etc/shells? >So I think this is a side effect of a long term argument of the security nature of /sbin/nologin https://serverfault.com/questions/328395/nologin-in-etc-shells-is-dangerous-why https://lists.fedoraproject.org/archives/list/devel at lists.fedoraproject.org/thread/UCUWTT63JS72R7ROFE46ZVUZLFN3K2MZ/ The second thread goes over me being an idiot in multiple places...> _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >-- Stephen J Smoogen.
--On Thursday, January 10, 2019 4:17 PM -0500 Stephen John Smoogen <smooge at gmail.com> wrote:> So I think this is a side effect of a long term argument of the security > nature of /sbin/nologin > > https://serverfault.com/questions/328395/nologin-in-etc-shells-is-dangero > us-why > https://lists.fedoraproject.org/archives/list/devel at lists.fedoraproject.o > rg/thread/UCUWTT63JS72R7ROFE46ZVUZLFN3K2MZ/ > > The second thread goes over me being an idiot in multiple places...Thanks. I independently discovered the fedora-devel thread when I dug into Bugzilla for the setup package, limiting to bugs mentioning /etc/shells, and found this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1378893 I think the takeaway is that /sbin/nologin should NOT be in /etc/shells. So that means vsftpd should NOT use the pam shells plugin to decide which accounts are system accounts in order to block them. It already has its own ftpusers file for that purpose. Is that sufficient? But how would it know when a new system account was added by a new package? OTOH, we can switch the file to whitelist instead of blacklist in vsftpd.conf. So now we have to edit the whitelist whenever we add a regular user (assuming FTP is allowed by default for shell users).
More digging (now that I have a better handle on how to ask the question) reveals this bug against documentation and release notes for 7.6 to alert updaters about this breaking change for vsftpd: https://bugzilla.redhat.com/show_bug.cgi?id=1647485 The last comment there, #15 by "Roy":> For a workaround to vsftpd login failures that doesn't expose your system > to the cited CVE, and retains the benefits of system user account > separation, read from "Virtual users with TLS/SSL/FTPS and a common > upload directory - Complicated vsftpd" on > https://ubuntuforums.org/showthread.php?t=518293, but implement home > directories using the section "System users as a virtual user with > non-system password" as a guide.
Le 10/01/2019 ? 22:17, Stephen John Smoogen a ?crit :> I updated to CentOS 7.6 and something must have changed in the base > OS setup that prevents vsftpd from allowing logins for accounts > with /sbin/nologin as their shell.Maybe this could be your solution. Here's the relevant lines from my vsftpd.conf : chroot_local_user=YES userlist_enable=YES userlist_deny=NO check_shell=NO userlist_file=/etc/vsftpd/vsftpd.user_list allow_writeable_chroot=YES Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32