[CentOS] vsftpd rejects users set to nologin
Kenneth Porter
shiva at sewingwitch.com
Thu Jan 10 21:34:12 UTC 2019
--On Thursday, January 10, 2019 4:17 PM -0500 Stephen John Smoogen
<smooge at gmail.com> wrote:
> So I think this is a side effect of a long term argument of the security
> nature of /sbin/nologin
>
> https://serverfault.com/questions/328395/nologin-in-etc-shells-is-dangero
> us-why
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.o
> rg/thread/UCUWTT63JS72R7ROFE46ZVUZLFN3K2MZ/
>
> The second thread goes over me being an idiot in multiple places...
Thanks. I independently discovered the fedora-devel thread when I dug into
Bugzilla for the setup package, limiting to bugs mentioning /etc/shells,
and found this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1378893
I think the takeaway is that /sbin/nologin should NOT be in /etc/shells. So
that means vsftpd should NOT use the pam shells plugin to decide which
accounts are system accounts in order to block them. It already has its own
ftpusers file for that purpose. Is that sufficient? But how would it know
when a new system account was added by a new package? OTOH, we can switch
the file to whitelist instead of blacklist in vsftpd.conf. So now we have
to edit the whitelist whenever we add a regular user (assuming FTP is
allowed by default for shell users).
More information about the CentOS
mailing list