Setup in Amazon Linux 2 added /sbin/nologin and /usr/sbin/nologin to /etc/shells. This violates security assumptions made by pam_shells and some daemons which allow access based on a user's shell being listed in /etc/shells. Under some circumstances, users which had their shell changed to /sbin/nologin could still access the system. (CVE-2018-1113)
Please note: this update removes the
/usr/sbin/nologin login shells from the
/etc/shells file due to security reasons. Consequently, when the configuration of the Very Secure File Transfer Protocol Daemon, vsftpd, is modified to enable the
chroot_local_user, FTP logins are impossible.
To work around this problem, add
/usr/sbin/nologin, respectively, to the
/etc/shells file. As a result, a login shell for users that are allowed to use FTP, but not SSH, is available again. However, note that this workaround exposes vsftpd to the security risk described in this advisory.
Run yum update setup to update your system.
noarch: setup-2.8.71-10.amzn2.noarch src: setup-2.8.71-10.amzn2.src