--On Thursday, January 10, 2019 4:17 PM -0500 Stephen John Smoogen
<smooge@xxxxxxxxx> wrote:
So I think this is a side effect of a long term argument of the security
nature of /sbin/nologin
https://serverfault.com/questions/328395/nologin-in-etc-shells-is-dangero
us-why
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.o
rg/thread/UCUWTT63JS72R7ROFE46ZVUZLFN3K2MZ/
The second thread goes over me being an idiot in multiple places...
Thanks. I independently discovered the fedora-devel thread when I dug into
Bugzilla for the setup package, limiting to bugs mentioning /etc/shells,
and found this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1378893
I think the takeaway is that /sbin/nologin should NOT be in /etc/shells. So
that means vsftpd should NOT use the pam shells plugin to decide which
accounts are system accounts in order to block them. It already has its own
ftpusers file for that purpose. Is that sufficient? But how would it know
when a new system account was added by a new package? OTOH, we can switch
the file to whitelist instead of blacklist in vsftpd.conf. So now we have
to edit the whitelist whenever we add a regular user (assuming FTP is
allowed by default for shell users).
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos