From: Cosseddu, Salvatore (S.M.Cosseddu_at_warwick.ac.uk)
Date: Thu Feb 20 2014 - 10:44:37 CST

Erratum.

A minor bug... sorry. This should work:

--------------------------------------
#!/bin/bash
#this script check the existence of a .vmdrc file in the local directory to prevent malicious behaviours SMC.

VMDBIN="vmd"
VMDCOMMAND="$#"

if [ -e ".vmdrc" ]; then

   echo "WARNING: In this folder a .vmdrc file is present. This is a potential security risk if this is a shared folder.

HEAD:"
   head -20 .vmdrc

   echo "-------

Do you want to read it all?"

   # let the user decide about the .vmdrc in the local directory
   select opt in yes "no and start vmd" quit;
   do
       case $opt in
           # cat .vmdrc and ask if continue or exit
           yes) cat .vmdrc;
               echo "-------

Do you want to start vmd?";
               select opt in yes quit;
               do
                   case $opt in
                       yes) break;;
                       quit) exit 0;;
                   esac;
               done; break ;;
           # continue
           "no and start vmd") break;;
           # exit
           quit) exit 0;;
       esac;
   done

fi

$VMDBIN $VMDCOMMAND

exit 0
--------------------------

Regards
Salvatore

________________________________________
From: Cosseddu, Salvatore
Sent: 20 February 2014 16:37
To: John Stone; Olaf Lenz
Cc: VMD Mailing List
Subject: RE: vmd-l: Security problem?

Dear John and Olaf,

I don't know if this can help, but I believe there is a simpler solution for those that usually launch vmd from shared folders. A small bash script can be created to check whether a local .vmdrc exists and if the user is aware of it. I've just spent ten minutes to write down a simple example that might be useful for Olaf and those who have similar problems. I haven't really test it, sorry.

--------------------------------------
#!/bin/bash
#this script check the existence of a .vmdrc file in the local directory to prevent malicious behaviours SMC.

VMDBIN="vmd"
VMDCOMMAND="$#"

if [ -e ".vmdrc" ]; then

   echo "WARNING: In this folder a .vmdrc file is present. This is a potential security risk if this is a shared folder.

HEAD:"
   head -20 .vmdrc

   echo "-------

Do you want to read it all?"

   # let the user decide about the .vmdrc in the local directory
   select opt in yes "no and start vmd" quit;
   do
       case $opt in
           # cat .vmdrc and ask if continue or exit
           yes) cat .vmdrc;
               echo "-------

Do you want to start vmd?";
               select opt in yes quit;
               do
                   case $opt in
                       yes) break;;
                       quit) exit 0;;
                   esac;
               done; break ;;
           # continue
           no) break;;
           # exit
           quit) exit 0;;
       esac;
   done

fi

$VMDBIN $VMDCOMMAND

exit 0
--------------------------

Best regards
Salvatore

________________________________________
From: owner-vmd-l_at_ks.uiuc.edu <owner-vmd-l_at_ks.uiuc.edu> on behalf of John Stone <johns_at_ks.uiuc.edu>
Sent: 19 February 2014 15:16
To: Olaf Lenz
Cc: VMD Mailing List
Subject: Re: vmd-l: Security problem?

Olaf,
  This behavior is used by many VMD users to customize the behavior
of the program when they run it in different project directories.

I would be happy to add an environment variable to customize this
behavior so it can be disabled in your case.

IMHO, if you are being attacked by someone with
access to a shared filesystem where you do your VMD work,
you've likely already lost the battle. There are a seemingly
endless stream of local root exploits that an attacker could use
to gain superuser privilege, and if they get that far it is a
short step for them to put files anywhere they want. I don't
consider VMD (or similar programs) to be security-relevant in any
real sense.

Cheers,
  John

On Wed, Feb 19, 2014 at 01:01:26PM +0100, Olaf Lenz wrote:
> Hi everybody!
> I have just noticed that VMD will automatically read and play the file
> ".vmdrc" in the current directory.
> I believe that this is a significant security hole. If a user puts a
> malicious Tcl script ".vmdrc" into a directory where someone else executes
> vmd, the script is executed. Ultimately, this is the same reason, why "."
> is not in the PATH.
> A http://superuser.com/questions/156582/why-is-not-in-the-path-by-default
> I would strongly recommend to remove this behavior, or at A least make it
> configurable via an environment variable or so.
> Olaf
> --
> Dr. rer. nat. Olaf Lenz
> Institut fA 1/4r Computerphysik, Allmandring 3, D-70569 Stuttgart
> Phone: +49-711-685-63607

--
NIH Center for Macromolecular Modeling and Bioinformatics
Beckman Institute for Advanced Science and Technology
University of Illinois, 405 N. Mathews Ave, Urbana, IL 61801
http://www.ks.uiuc.edu/~johns/           Phone: 217-244-3349
http://www.ks.uiuc.edu/Research/vmd/
--
Salvatore Cosseddu
PhD student
Centre for Scientific Computing and School of Engineering
University of Warwick
Coventry CV4 7AL
United Kingdom
email: S.M.Cosseddu_at_warwick.ac.uk
--
Salvatore Cosseddu
PhD student
Centre for Scientific Computing and School of Engineering
University of Warwick
Coventry CV4 7AL
United Kingdom
email: S.M.Cosseddu_at_warwick.ac.uk