More digging (now that I have a better handle on how to ask the question)
reveals this bug against documentation and release notes for 7.6 to alert
updaters about this breaking change for vsftpd:
https://bugzilla.redhat.com/show_bug.cgi?id=1647485
The last comment there, #15 by "Roy":
For a workaround to vsftpd login failures that doesn't expose your system
to the cited CVE, and retains the benefits of system user account
separation, read from "Virtual users with TLS/SSL/FTPS and a common
upload directory - Complicated vsftpd" on
https://ubuntuforums.org/showthread.php?t=518293, but implement home
directories using the section "System users as a virtual user with
non-system password" as a guide.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
