VMD-L Mailing List
From: Olaf Lenz (olenz_at_icp.uni-stuttgart.de)
Date: Wed Feb 19 2014 - 08:30:59 CST
The difference is, that .bashrc is only read from your home directory. If
someone is able to manipulate files there, you are going to have a problem
In constrast, .vmdrc is read from the directory you are currently in. So if
you are in a directory like "/", or "/tmp", or something else, where other
people can create files, and start vmd, a malicious .vmdrc is excuted.
2014-02-19 15:24 GMT+01:00 Cosseddu, Salvatore <S.M.Cosseddu_at_warwick.ac.uk>:
> Dear Olaf,
> My impression is that the issue is not so simple to be solved. Consider
> the .bashrc and .bash_profile file that are executed every time
> a shell sessions are started (interactive non-login sessions the former,
> login sessions the latter
> http://www.joshstaiger.org/archives/2005/07/bash_profile_vs.html ). My
> impression is that if some user has the permissions to write in
> someone's directories, the possibilities of malicious .vmdrc might indeed
> be the last of his problems.
> My 2 cents
> *From:* owner-vmd-l_at_ks.uiuc.edu <owner-vmd-l_at_ks.uiuc.edu> on behalf of
> Olaf Lenz <olenz_at_icp.uni-stuttgart.de>
> *Sent:* 19 February 2014 12:01
> *To:* VMD Mailing List
> *Subject:* vmd-l: Security problem?
> Hi everybody!
> I have just noticed that VMD will automatically read and play the file
> ".vmdrc" in the current directory.
> I believe that this is a significant security hole. If a user puts a
> malicious Tcl script ".vmdrc" into a directory where someone else executes
> vmd, the script is executed. Ultimately, this is the same reason, why "."
> is not in the PATH.
> I would strongly recommend to remove this behavior, or at least make it
> configurable via an environment variable or so.
> Dr. rer. nat. Olaf Lenz
> Institut für Computerphysik, Allmandring 3, D-70569 Stuttgart
> Phone: +49-711-685-63607
-- Dr. rer. nat. Olaf Lenz Institut für Computerphysik, Allmandring 3, D-70569 Stuttgart Phone: +49-711-685-63607