VMD-L Mailing List

From: Olaf Lenz (olenz_at_icp.uni-stuttgart.de)
Date: Wed Feb 19 2014 - 08:30:59 CST

Next message: Cosseddu, Salvatore: "RE: Security problem?"
Previous message: Olaf Lenz: "Security problem?"
In reply to: Cosseddu, Salvatore: "RE: Security problem?"
Next in thread: Cosseddu, Salvatore: "RE: Security problem?"
Reply: Cosseddu, Salvatore: "RE: Security problem?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi!

The difference is, that .bashrc is only read from your home directory. If
someone is able to manipulate files there, you are going to have a problem
anyway.
In constrast, .vmdrc is read from the directory you are currently in. So if
you are in a directory like "/", or "/tmp", or something else, where other
people can create files, and start vmd, a malicious .vmdrc is excuted.

Olaf

2014-02-19 15:24 GMT+01:00 Cosseddu, Salvatore <S.M.Cosseddu_at_warwick.ac.uk>:

> Dear Olaf,
>
>
> My impression is that the issue is not so simple to be solved. Consider
> the .bashrc and .bash_profile file that are executed every time
> a shell sessions are started (interactive non-login sessions the former,
> login sessions the latter
> http://www.joshstaiger.org/archives/2005/07/bash_profile_vs.html ). My
> impression is that if some user has the permissions to write in
> someone's directories, the possibilities of malicious .vmdrc might indeed
> be the last of his problems.
>
>
> My 2 cents
>
> Salvatore
> ------------------------------
> *From:* owner-vmd-l_at_ks.uiuc.edu <owner-vmd-l_at_ks.uiuc.edu> on behalf of
> Olaf Lenz <olenz_at_icp.uni-stuttgart.de>
> *Sent:* 19 February 2014 12:01
> *To:* VMD Mailing List
> *Subject:* vmd-l: Security problem?
>
> Hi everybody!
>
> I have just noticed that VMD will automatically read and play the file
> ".vmdrc" in the current directory.
> I believe that this is a significant security hole. If a user puts a
> malicious Tcl script ".vmdrc" into a directory where someone else executes
> vmd, the script is executed. Ultimately, this is the same reason, why "."
> is not in the PATH.
>
> http://superuser.com/questions/156582/why-is-not-in-the-path-by-default
>
> I would strongly recommend to remove this behavior, or at least make it
> configurable via an environment variable or so.
>
> Olaf
>
> --
> Dr. rer. nat. Olaf Lenz
> Institut für Computerphysik, Allmandring 3, D-70569 Stuttgart
> Phone: +49-711-685-63607
>

-- 
Dr. rer. nat. Olaf Lenz
Institut für Computerphysik, Allmandring 3, D-70569 Stuttgart
Phone: +49-711-685-63607

Next message: Cosseddu, Salvatore: "RE: Security problem?"
Previous message: Olaf Lenz: "Security problem?"
In reply to: Cosseddu, Salvatore: "RE: Security problem?"
Next in thread: Cosseddu, Salvatore: "RE: Security problem?"
Reply: Cosseddu, Salvatore: "RE: Security problem?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Home

Overview

Publications

Research

Software

VMD Molecular Graphics Viewer

NAMD Molecular Dynamics Simulator

BioCoRE Collaboratory Environment

MD Service Suite

Structural Biology Software Database

Computational Facility

Outreach

VMD-L Mailing List