From: Cosseddu, Salvatore (S.M.Cosseddu_at_warwick.ac.uk)
Date: Wed Feb 19 2014 - 08:38:02 CST

Hi,

Got the point. Working from \tmp or some public directories might indeed lead some problem. I've never done it and this is why I overlooked the issue.

Thanks for the clarification.

Salvatore

________________________________
From: olaf.lenz_at_gmail.com <olaf.lenz_at_gmail.com> on behalf of Olaf Lenz <olenz_at_icp.uni-stuttgart.de>
Sent: 19 February 2014 14:30
To: Cosseddu, Salvatore
Cc: VMD Mailing List
Subject: Re: vmd-l: Security problem?

Hi!

The difference is, that .bashrc is only read from your home directory. If someone is able to manipulate files there, you are going to have a problem anyway.
In constrast, .vmdrc is read from the directory you are currently in. So if you are in a directory like "/", or "/tmp", or something else, where other people can create files, and start vmd, a malicious .vmdrc is excuted.

Olaf

2014-02-19 15:24 GMT+01:00 Cosseddu, Salvatore <S.M.Cosseddu_at_warwick.ac.uk<mailto:S.M.Cosseddu_at_warwick.ac.uk>>:

?Dear Olaf,

My impression is that the issue is not so simple to be solved. Consider the .bashrc and .bash_profile file that are executed every time a shell sessions are started (interactive non-login sessions the former, login sessions the latter http://www.joshstaiger.org/archives/2005/07/bash_profile_vs.html? ). My impression is that if some user has the permissions to write in someone's directories, the possibilities of malicious .vmdrc might indeed be the last of his problems.

My 2 cents

Salvatore

________________________________
From: owner-vmd-l_at_ks.uiuc.edu<mailto:owner-vmd-l_at_ks.uiuc.edu> <owner-vmd-l_at_ks.uiuc.edu<mailto:owner-vmd-l_at_ks.uiuc.edu>> on behalf of Olaf Lenz <olenz_at_icp.uni-stuttgart.de<mailto:olenz_at_icp.uni-stuttgart.de>>
Sent: 19 February 2014 12:01
To: VMD Mailing List
Subject: vmd-l: Security problem?

Hi everybody!

I have just noticed that VMD will automatically read and play the file ".vmdrc" in the current directory.
I believe that this is a significant security hole. If a user puts a malicious Tcl script ".vmdrc" into a directory where someone else executes vmd, the script is executed. Ultimately, this is the same reason, why "." is not in the PATH.

  http://superuser.com/questions/156582/why-is-not-in-the-path-by-default

I would strongly recommend to remove this behavior, or at least make it configurable via an environment variable or so.

Olaf

--
Dr. rer. nat. Olaf Lenz
Institut f?r Computerphysik, Allmandring 3, D-70569 Stuttgart
Phone: +49-711-685-63607<tel:%2B49-711-685-63607>
--
Dr. rer. nat. Olaf Lenz
Institut f?r Computerphysik, Allmandring 3, D-70569 Stuttgart
Phone: +49-711-685-63607