Low: setup

ID ALAS2-2019-1158
Type amazon
Reporter Amazon
Modified 2019-02-14T04:07:00


Issue Overview:

Setup in Amazon Linux 2 added /sbin/nologin and /usr/sbin/nologin to /etc/shells. This violates security assumptions made by pam_shells and some daemons which allow access based on a user's shell being listed in /etc/shells. Under some circumstances, users which had their shell changed to /sbin/nologin could still access the system. (CVE-2018-1113)

Please note: this update removes the /sbin/nologin and /usr/sbin/nologin login shells from the /etc/shells file due to security reasons. Consequently, when the configuration of the Very Secure File Transfer Protocol Daemon, vsftpd, is modified to enable the chroot_local_user, FTP logins are impossible.

To work around this problem, add /sbin/nologin or /usr/sbin/nologin, respectively, to the /etc/shells file. As a result, a login shell for users that are allowed to use FTP, but not SSH, is available again. However, note that this workaround exposes vsftpd to the security risk described in this advisory.

Affected Packages:


Issue Correction:
Run yum update setup to update your system.

New Packages: