From kde-devel  Tue Dec 27 13:35:12 2005
From: Dave Feustel <dfeustel () mindspring ! com>
Date: Tue, 27 Dec 2005 13:35:12 +0000
To: kde-devel
Subject: Re: One Way to Increase KDE security
Message-Id: <200512270835.13146.dfeustel () mindspring ! com>
X-MARC-Message: https://marc.info/?l=kde-devel&m=113569475202352

On Tuesday 27 December 2005 06:19, David Faure wrote:
> On Tuesday 27 December 2005 03:05, Dave Feustel wrote:
> > Delete all kde/Xorg sockets in /tmp everytime KDE exits.
> 
> Can you please stop making up facts about "security" every day on this list?
> It wouldn't be so annoying if it actually made sense... 

I didn't make this up. I have seen (network) sockets created that had no obvious
connection to anything I was running on my computer. I now routinely delete 
those  sockets as soon as I see them, with no detectable ill effects whatsoever 
on my system. The only problem this causes is that restarting DCOP while kde is 
running doesn't always work after deleting all the files in /tmp and /home/daf/Tmp. 
Restarting kde does (usually) fix DCOP. This is good design by kde developers. I 
have been crashing kde regularly to restore functionality that suddenly stops 
working (presumably because of hacking), and kde recovers very well. 
I am impressed. (Windows was not quite so robust when I was using that os).

I am pretty sure that DCOP is part of the security problem in KDE, although
I think the big problems are that P-Grant-Pty is not properly ported to OpenBSD
by the OpenBSD developers and that the socket /tmp/.ICE-unix/X0 is created by
Xorg with world rw permissions. I chmod the permissions first thing when I
start kde and it causes me no problems, so it seems like a good idea.
I strongly recommend that KDE delete all temporary files, including sockets, 
every time kde shuts down. I do this now even during the kde session if I
suddenly start having problems.

I also would like an option for kde's forgetting about sessions at shutdown.
IE kde starts with no remembered sessions each time it restarts.

I would also like to be able to increase the amount of information reported
in error messages. I get a lot of error messages when I crash kde and I infer 
things from the nature of the errors reported. More info would help me
distinguish between proper and improper activity. This is easy for me since my 
computer is a single-user system and all messages should be related to things
*I* am doing on the system.

Dave Feustel

-- 
Lose, v., experience a loss, get rid of, "lose the weight"
Loose, adj., not tight, let go, free, "loose clothing"
 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<