Low: setup

Issue Overview:

Setup in Amazon Linux 2 added /sbin/nologin and /usr/sbin/nologin to /etc/shells. This violates security assumptions made by pam_shells and some daemons which allow access based on a user’s shell being listed in /etc/shells. Under some circumstances, users which had their shell changed to /sbin/nologin could still access the system. (CVE-2018-1113)

Please note: this update removes the /sbin/nologin and /usr/sbin/nologin login shells from the /etc/shells file due to security reasons. Consequently, when the configuration of the Very Secure File Transfer Protocol Daemon, vsftpd, is modified to enable the chroot_local_user, FTP logins are impossible.

To work around this problem, add /sbin/nologin or /usr/sbin/nologin, respectively, to the /etc/shells file. As a result, a login shell for users that are allowed to use FTP, but not SSH, is available again. However, note that this workaround exposes vsftpd to the security risk described in this advisory.

Affected Packages:

setup

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update setup to update your system.

New Packages:

noarch:  
    setup-2.8.71-10.amzn2.noarch  
  
src:  
    setup-2.8.71-10.amzn2.src  

Additional References

Red Hat: CVE-2018-1113

Mitre: CVE-2018-1113