[PATCH] Removing KDESu::SshProcess (was: Re: Request for deprecation of KDESu::SshProcess and removal of kdesu_stub/kdessh)
Friedrich W. H. Kossebau
kossebau at kde.org
Sun Jan 3 17:35:11 GMT 2010
Hi,
meanwhile kdessh has been moved from kdeutils to tags/unmaintained/4.
So time to take on KDESu::SshProcess. Below more:
Vendredi, le 18 decembre 2009, à 21:02, Friedrich W. H. Kossebau a écrit:
> Hi,
>
> KDESu::SshProcess (in kdelibs) and the commandline shell for it, kdessh (in
> kdeutils) are horribly broken (as in: do not work and may be insecure) and
> (at least for me) seem not easy to be fixed.
>
> I guess most of you do not even know these things exist, so:
> kdessh is a wrapper to ssh and, instead of executing the original remote
> command, first (via KDESu::SshProcess) fires up kdesu_stub on the remote
> computer to setup the environment variables as needed for a better
> integration into the local session, only then executes the original
> command.
> Additionally it also caches the passwords (but does not use KWallet).
>
> It is not working at all currently, as this commit
> "Move kdesu_stub to libexec"
> http://websvn.kde.org/?view=revision&revision=666108
> moved kdesu_stub out of the $PATH, so the ssh server will not find it.
> Is there a chance somebody remembers why it was moved to ? And not
> perhaps renamed kdesu_stub to kdesu_stub4? Or just have it conflict with
> the KDE 3 version, like e.g. KWrite has a conflict, too.
>
> The class KDESu::SshProcess/StubProcess itself has a wild mixtures of
> undocumented return values, seems to forget about child processes in some
> conditions, has password strings in unsecured memory, does not reuse the
> running ssh connection after testing for password needs, does not do a
> proper check for false passwords and whatelse.
>
> From lxr.kde.org it seems kdessh is the only user of KDESu::SshProcess,
> besides kvpnc in playground/network (no idea about its state). And with
> zero reports about this problem on b.k.o kdessh also seems without any
> users.
Update:
kvpnc does not use SshProcess, only has an object named SshProcess, so no
dependency. But there is another user I missed before, kdesud. See below.
> As noone has ever had a closer look at kdessh until now (starting kdessh
> did nothing, including no obvious harm, so it got ignored), including the
> kdeutils coordinator (who is writing here) it was only now decided to move
> kdessh from kdeutils to tags/unmaintained after the Beta2 release. Sorry
> for any inconvenience.
>
> Additionally the class KDESu::SshProcess in kdelibs should be marked as
> deprecated. Perhaps it could be even removed, as I do not think anyone is
> using this class/these symbols?
> Also kdesu_stub does no longer needed to be built and installed, as long as
> it ends in lib/kde4/libexec.
Attached patch now removes the class KDESu::SshProcess from kdelibs, as well
as its usage in kdesud. In kdesud it was used to execute commands on remote
hosts, which should not have worked, either (unless connecting to KDE3
machines, did someone?). Is it okay to remove these symbols? Or does anyone
really expect people to run older kdebase/runtime against newer kdelibs? Other
users are not expected as, well, it did not work.
Or would it be better to just deprecate KDESu::SshProcess and hope for someone
to fix it with the current API? But I very much question the approach taken by
it (just see what kind of data it sets via kdesu_stub, e.g. setting PATH for
root on the remote, without any knowledge of the system, huh?).
Cheers
Friedrich
--
Okteta - KDE Hex Editor - http://utils.kde.org/projects/okteta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: removeSshProcess.patch
Type: text/x-patch
Size: 10319 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20100103/92b8f23b/attachment.bin>
More information about the kde-core-devel
mailing list