I was reading a book on linux security and "attack paths" were mentioned. One of the paths is a Anon FTP that " is not chroot'ed and can read /ect/passwd"
"FTP not chroot'ed and allowed to write to /tmp"

Another where an ordinary user can write to /tmp and root $PATH has "." before /bin"

Me being new to this I am not sure what all this means, can someone explain this in layman's terms and maybe provide an example of how to check to see if my distro has this problem and how do I fix it.

look in the root folder for your ftp server

there is usually a few folders in there

ftp]# ls
bin etc lib pub


this is what you would see if you ftped into the system
this is not in the / filesystem but contained in /var/www/ftp
or wherever your ftp root is

root $PATH has "." before /bin" means execution in "." or "current directory" will be favoured over the other locations in the $PATH. Man bash for more, look for something like "hash table".

I'm far from being a guru but i think i have an idea of what you mean.

I think that if your ftp server is badly configured woth bad permissions you'll be able to go to the parent folder until you're in /
Then you can go in /etc and read passwd.
You take the encrypted root password and brute force it.

nb : on my distro (debian) and most of them now, passwords are stored into the /etc/shadow file which is only readable by root so you might not be able to gain root access like that

The other one is when you have to type program instead of ./program to execute your program called program
So i go into tmp, i create a script called ls.
When root comes into /tmp he naturally wants to ls the directory and he might going to execute you program instead of /bin/ls.
Your program that you called ls will be executed with the identity of root, so i assume it will have the root privileges then you can imagine that the system is yours

Ciao

but ./filename is the same as filename just that if /bin/filename exists in the $PATH first it will be executed

so if $PATH is /bin:/usr/bin

if a file testfile is in /bin and in /usr/bin the one in bin would run. If a usr is in /usr/bin and types ./filename the one in /usr/bin will be executed if they just type filename the one in /bin will be executed

if you are in the ftp root then ls and ls ../ are also the same

I don't understand what you meant...

I'm just saying (and i didn't tested it) that if root ls in /tmp or the ftp directory

the ls (in current directory) will be executed instead of /usr/bin/ls

I'll try to do it later on and give you confirmation or infirmation

Ciao

this is true because there is no /usr/bin in the ftp root
and it's my opinion that breaking out of the ftp root is not possible

you can test this by renaming ls in your ftp/bin folder