VMD-L Mailing List

From: John Stone (johns_at_ks.uiuc.edu)
Date: Wed Feb 19 2014 - 09:16:06 CST

Olaf,
  This behavior is used by many VMD users to customize the behavior
of the program when they run it in different project directories.

I would be happy to add an environment variable to customize this
behavior so it can be disabled in your case.

IMHO, if you are being attacked by someone with
access to a shared filesystem where you do your VMD work,
you've likely already lost the battle. There are a seemingly
endless stream of local root exploits that an attacker could use
to gain superuser privilege, and if they get that far it is a
short step for them to put files anywhere they want. I don't
consider VMD (or similar programs) to be security-relevant in any
real sense.

Cheers,
  John

On Wed, Feb 19, 2014 at 01:01:26PM +0100, Olaf Lenz wrote:
> Hi everybody!
> I have just noticed that VMD will automatically read and play the file
> ".vmdrc" in the current directory.
> I believe that this is a significant security hole. If a user puts a
> malicious Tcl script ".vmdrc" into a directory where someone else executes
> vmd, the script is executed. Ultimately, this is the same reason, why "."
> is not in the PATH.
> A http://superuser.com/questions/156582/why-is-not-in-the-path-by-default
> I would strongly recommend to remove this behavior, or at A least make it
> configurable via an environment variable or so.
> Olaf
> --
> Dr. rer. nat. Olaf Lenz
> Institut fA 1/4r Computerphysik, Allmandring 3, D-70569 Stuttgart
> Phone: +49-711-685-63607 

-- 
NIH Center for Macromolecular Modeling and Bioinformatics
Beckman Institute for Advanced Science and Technology
University of Illinois, 405 N. Mathews Ave, Urbana, IL 61801
http://www.ks.uiuc.edu/~johns/           Phone: 217-244-3349
http://www.ks.uiuc.edu/Research/vmd/