ALAS2-2019-1158 --- setupID: oval:org.secpod.oval:def:1700141 | Date: (C)2019-05-30 (M)2023-06-16 |
Class: PATCH | Family: unix |
Setup in Amazon Linux 2 added /sbin/nologin and /usr/sbin/nologin to /etc/shells. This violates security assumptions made by pam_shells and some daemons which allow access based on a user#039;s shell being listed in /etc/shells. Under some circumstances, users which had their shell changed to /sbin/nologin could still access the system. Please note: this update removes the `/sbin/nologin` and `/usr/sbin/nologin` login shells from the `/etc/shells` file due to security reasons. Consequently, when the configuration of the Very Secure File Transfer Protocol Daemon, *vsftpd*, is modified to enable the `chroot_local_user`, FTP logins are impossible. To work around this problem, add `/sbin/nologin` or `/usr/sbin/nologin`, respectively, to the `/etc/shells` file. As a result, a login shell for users that are allowed to use FTP, but not SSH, is available again. However, note that this workaround exposes *vsftpd* to the security risk described in this advisory.