--On Thursday, January 10, 2019 4:17 PM -0500 Stephen John Smoogen <smooge at gmail.com> wrote: > So I think this is a side effect of a long term argument of the security > nature of /sbin/nologin > > https://serverfault.com/questions/328395/nologin-in-etc-shells-is-dangero > us-why > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.o > rg/thread/UCUWTT63JS72R7ROFE46ZVUZLFN3K2MZ/ > > The second thread goes over me being an idiot in multiple places... Thanks. I independently discovered the fedora-devel thread when I dug into Bugzilla for the setup package, limiting to bugs mentioning /etc/shells, and found this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1378893 I think the takeaway is that /sbin/nologin should NOT be in /etc/shells. So that means vsftpd should NOT use the pam shells plugin to decide which accounts are system accounts in order to block them. It already has its own ftpusers file for that purpose. Is that sufficient? But how would it know when a new system account was added by a new package? OTOH, we can switch the file to whitelist instead of blacklist in vsftpd.conf. So now we have to edit the whitelist whenever we add a regular user (assuming FTP is allowed by default for shell users).