VMD-L Mailing List
From: Cosseddu, Salvatore (S.M.Cosseddu_at_warwick.ac.uk)
Date: Thu Feb 20 2014 - 10:37:07 CST
Dear John and Olaf,
I don't know if this can help, but I believe there is a simpler solution for those that usually launch vmd from shared folders. A small bash script can be created to check whether a local .vmdrc exists and if the user is aware of it. I've just spent ten minutes to write down a simple example that might be useful for Olaf and those who have similar problems. I haven't really test it, sorry.
#this script check the existence of a .vmdrc file in the local directory to prevent malicious behaviours SMC.
if [ -e ".vmdrc" ]; then
echo "WARNING: In this folder a .vmdrc file is present. This is a potential security risk if this is a shared folder.
head -20 .vmdrc
Do you want to read it all?"
# let the user decide about the .vmdrc in the local directory
select opt in yes "no and start vmd" quit;
case $opt in
# cat .vmdrc and ask if continue or exit
yes) cat .vmdrc;
Do you want to start vmd?";
select opt in yes quit;
case $opt in
quit) exit 0;;
done; break ;;
quit) exit 0;;
From: owner-vmd-l_at_ks.uiuc.edu <owner-vmd-l_at_ks.uiuc.edu> on behalf of John Stone <johns_at_ks.uiuc.edu>
Sent: 19 February 2014 15:16
To: Olaf Lenz
Cc: VMD Mailing List
Subject: Re: vmd-l: Security problem?
This behavior is used by many VMD users to customize the behavior
of the program when they run it in different project directories.
I would be happy to add an environment variable to customize this
behavior so it can be disabled in your case.
IMHO, if you are being attacked by someone with
access to a shared filesystem where you do your VMD work,
you've likely already lost the battle. There are a seemingly
endless stream of local root exploits that an attacker could use
to gain superuser privilege, and if they get that far it is a
short step for them to put files anywhere they want. I don't
consider VMD (or similar programs) to be security-relevant in any
On Wed, Feb 19, 2014 at 01:01:26PM +0100, Olaf Lenz wrote:
> Hi everybody!
> I have just noticed that VMD will automatically read and play the file
> ".vmdrc" in the current directory.
> I believe that this is a significant security hole. If a user puts a
> malicious Tcl script ".vmdrc" into a directory where someone else executes
> vmd, the script is executed. Ultimately, this is the same reason, why "."
> is not in the PATH.
> A http://superuser.com/questions/156582/why-is-not-in-the-path-by-default
> I would strongly recommend to remove this behavior, or at A least make it
> configurable via an environment variable or so.
> Dr. rer. nat. Olaf Lenz
> Institut fA 1/4r Computerphysik, Allmandring 3, D-70569 Stuttgart
> Phone: +49-711-685-63607
-- NIH Center for Macromolecular Modeling and Bioinformatics Beckman Institute for Advanced Science and Technology University of Illinois, 405 N. Mathews Ave, Urbana, IL 61801 http://www.ks.uiuc.edu/~johns/ Phone: 217-244-3349 http://www.ks.uiuc.edu/Research/vmd/ -- Salvatore Cosseddu PhD student Centre for Scientific Computing and School of Engineering University of Warwick Coventry CV4 7AL United Kingdom email: S.M.Cosseddu_at_warwick.ac.uk