On Thu, 10 Jan 2019 at 16:09, Kenneth Porter shiva@sewingwitch.com wrote:
I updated to CentOS 7.6 and something must have changed in the base OS setup that prevents vsftpd from allowing logins for accounts with /sbin/nologin as their shell. I had to add that to /etc/shells so that such accounts could FTP again. That file is in the setup package. Did it include /sbin/nologin before? I don't have anything in my notes from setting up the system last year about changing that. What's the history of shells listed in /etc/shells?
So I think this is a side effect of a long term argument of the security nature of /sbin/nologin
https://serverfault.com/questions/328395/nologin-in-etc-shells-is-dangerous-... https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/...
The second thread goes over me being an idiot in multiple places...
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
--On Thursday, January 10, 2019 4:17 PM -0500 Stephen John Smoogen smooge@gmail.com wrote:
So I think this is a side effect of a long term argument of the security nature of /sbin/nologin
https://serverfault.com/questions/328395/nologin-in-etc-shells-is-dangero us-why https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.o rg/thread/UCUWTT63JS72R7ROFE46ZVUZLFN3K2MZ/
The second thread goes over me being an idiot in multiple places...
Thanks. I independently discovered the fedora-devel thread when I dug into Bugzilla for the setup package, limiting to bugs mentioning /etc/shells, and found this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1378893
I think the takeaway is that /sbin/nologin should NOT be in /etc/shells. So that means vsftpd should NOT use the pam shells plugin to decide which accounts are system accounts in order to block them. It already has its own ftpusers file for that purpose. Is that sufficient? But how would it know when a new system account was added by a new package? OTOH, we can switch the file to whitelist instead of blacklist in vsftpd.conf. So now we have to edit the whitelist whenever we add a regular user (assuming FTP is allowed by default for shell users).
More digging (now that I have a better handle on how to ask the question) reveals this bug against documentation and release notes for 7.6 to alert updaters about this breaking change for vsftpd:
https://bugzilla.redhat.com/show_bug.cgi?id=1647485
The last comment there, #15 by "Roy":
For a workaround to vsftpd login failures that doesn't expose your system to the cited CVE, and retains the benefits of system user account separation, read from "Virtual users with TLS/SSL/FTPS and a common upload directory - Complicated vsftpd" on https://ubuntuforums.org/showthread.php?t=518293, but implement home directories using the section "System users as a virtual user with non-system password" as a guide.
I think the pam_shells test is really a lazy test for daemons. There's already a blacklist in /etc/vsftpd/user_list but it's incomplete. (It lacks a LOT of common system services such as named, sshd, and dbus.) I suggest replacing pam_shells with a test for UID < 1000:
auth required pam_succeed_if.so uid >= 1000 quiet_success
Le 10/01/2019 à 22:17, Stephen John Smoogen a écrit :
I updated to CentOS 7.6 and something must have changed in the base OS setup that prevents vsftpd from allowing logins for accounts with /sbin/nologin as their shell.
Maybe this could be your solution. Here's the relevant lines from my vsftpd.conf :
chroot_local_user=YES userlist_enable=YES userlist_deny=NO check_shell=NO userlist_file=/etc/vsftpd/vsftpd.user_list allow_writeable_chroot=YES
Cheers,
Niki
-
Kenneth Porter -
Nicolas Kovacs -
Stephen John Smoogen