ALAS2-2019-1158


Amazon Linux 2 Security Advisory: ALAS-2019-1158
Advisory Release Date: 2019-02-14 04:07 Pacific
Severity: Low
References: CVE-2018-1113 

Issue Overview:

Setup in Amazon Linux 2 added /sbin/nologin and /usr/sbin/nologin to /etc/shells. This violates security assumptions made by pam_shells and some daemons which allow access based on a user's shell being listed in /etc/shells. Under some circumstances, users which had their shell changed to /sbin/nologin could still access the system. (CVE-2018-1113 )

Please note: this update removes the `/sbin/nologin` and `/usr/sbin/nologin` login shells from the `/etc/shells` file due to security reasons. Consequently, when the configuration of the Very Secure File Transfer Protocol Daemon, *vsftpd*, is modified to enable the `chroot_local_user`, FTP logins are impossible.

To work around this problem, add `/sbin/nologin` or `/usr/sbin/nologin`, respectively, to the `/etc/shells` file. As a result, a login shell for users that are allowed to use FTP, but not SSH, is available again. However, note that this workaround exposes *vsftpd* to the security risk described in this advisory.


Affected Packages:

setup


Issue Correction:
Run yum update setup to update your system.

New Packages:
noarch:
    setup-2.8.71-10.amzn2.noarch

src:
    setup-2.8.71-10.amzn2.src