From: Cosseddu, Salvatore (
Date: Wed Feb 19 2014 - 08:24:26 CST

?Dear Olaf,

My impression is that the issue is not so simple to be solved. Consider the .bashrc and .bash_profile file that are executed every time a shell sessions are started (interactive non-login sessions the former, login sessions the latter ). My impression is that if some user has the permissions to write in someone's directories, the possibilities of malicious .vmdrc might indeed be the last of his problems.

My 2 cents


From: <> on behalf of Olaf Lenz <>
Sent: 19 February 2014 12:01
To: VMD Mailing List
Subject: vmd-l: Security problem?

Hi everybody!

I have just noticed that VMD will automatically read and play the file ".vmdrc" in the current directory.
I believe that this is a significant security hole. If a user puts a malicious Tcl script ".vmdrc" into a directory where someone else executes vmd, the script is executed. Ultimately, this is the same reason, why "." is not in the PATH.

I would strongly recommend to remove this behavior, or at least make it configurable via an environment variable or so.


Dr. rer. nat. Olaf Lenz
Institut f?r Computerphysik, Allmandring 3, D-70569 Stuttgart
Phone: +49-711-685-63607