VMD-L Mailing List
From: Cosseddu, Salvatore (S.M.Cosseddu_at_warwick.ac.uk)
Date: Wed Feb 19 2014 - 08:38:02 CST
Got the point. Working from \tmp or some public directories might indeed lead some problem. I've never done it and this is why I overlooked the issue.
Thanks for the clarification.
From: olaf.lenz_at_gmail.com <olaf.lenz_at_gmail.com> on behalf of Olaf Lenz <olenz_at_icp.uni-stuttgart.de>
Sent: 19 February 2014 14:30
To: Cosseddu, Salvatore
Cc: VMD Mailing List
Subject: Re: vmd-l: Security problem?
The difference is, that .bashrc is only read from your home directory. If someone is able to manipulate files there, you are going to have a problem anyway.
In constrast, .vmdrc is read from the directory you are currently in. So if you are in a directory like "/", or "/tmp", or something else, where other people can create files, and start vmd, a malicious .vmdrc is excuted.
My impression is that the issue is not so simple to be solved. Consider the .bashrc and .bash_profile file that are executed every time a shell sessions are started (interactive non-login sessions the former, login sessions the latter http://www.joshstaiger.org/archives/2005/07/bash_profile_vs.html? ). My impression is that if some user has the permissions to write in someone's directories, the possibilities of malicious .vmdrc might indeed be the last of his problems.
My 2 cents
From: owner-vmd-l_at_ks.uiuc.edu<mailto:owner-vmd-l_at_ks.uiuc.edu> <owner-vmd-l_at_ks.uiuc.edu<mailto:owner-vmd-l_at_ks.uiuc.edu>> on behalf of Olaf Lenz <olenz_at_icp.uni-stuttgart.de<mailto:olenz_at_icp.uni-stuttgart.de>>
Sent: 19 February 2014 12:01
To: VMD Mailing List
Subject: vmd-l: Security problem?
I have just noticed that VMD will automatically read and play the file ".vmdrc" in the current directory.
I believe that this is a significant security hole. If a user puts a malicious Tcl script ".vmdrc" into a directory where someone else executes vmd, the script is executed. Ultimately, this is the same reason, why "." is not in the PATH.
I would strongly recommend to remove this behavior, or at least make it configurable via an environment variable or so.
-- Dr. rer. nat. Olaf Lenz Institut f?r Computerphysik, Allmandring 3, D-70569 Stuttgart Phone: +49-711-685-63607<tel:%2B49-711-685-63607> -- Dr. rer. nat. Olaf Lenz Institut f?r Computerphysik, Allmandring 3, D-70569 Stuttgart Phone: +49-711-685-63607