VMD-L Mailing List
From: Cosseddu, Salvatore (S.M.Cosseddu_at_warwick.ac.uk)
Date: Wed Feb 19 2014 - 08:24:26 CST
My impression is that the issue is not so simple to be solved. Consider the .bashrc and .bash_profile file that are executed every time a shell sessions are started (interactive non-login sessions the former, login sessions the latter http://www.joshstaiger.org/archives/2005/07/bash_profile_vs.html? ). My impression is that if some user has the permissions to write in someone's directories, the possibilities of malicious .vmdrc might indeed be the last of his problems.
My 2 cents
From: owner-vmd-l_at_ks.uiuc.edu <owner-vmd-l_at_ks.uiuc.edu> on behalf of Olaf Lenz <olenz_at_icp.uni-stuttgart.de>
Sent: 19 February 2014 12:01
To: VMD Mailing List
Subject: vmd-l: Security problem?
I have just noticed that VMD will automatically read and play the file ".vmdrc" in the current directory.
I believe that this is a significant security hole. If a user puts a malicious Tcl script ".vmdrc" into a directory where someone else executes vmd, the script is executed. Ultimately, this is the same reason, why "." is not in the PATH.
I would strongly recommend to remove this behavior, or at least make it configurable via an environment variable or so.
-- Dr. rer. nat. Olaf Lenz Institut f?r Computerphysik, Allmandring 3, D-70569 Stuttgart Phone: +49-711-685-63607