kdeinit - kio - stand alone

M.H listinfo at club-internet.fr
Fri Sep 20 19:51:27 BST 2002 

Is there a way to have kde applications to access to network interface without having them
to use the kdeinit : kio .. parent processes?
For instance I would like kmail to use directly my network interface  (ethX or pppX).
It is extremely *unsecure* to have all kde applications accessing network interfaces by only one parent process.
The main reason is that it is very hard to have control on them.
Let me explain.
I'm talking about securing a destop. Current trend of netfilter allows one to use iptables as a personal-firewall, expecially with the owner match.
Using this match extension, one can control the network access (outgoing traffic) by PID or process name. BUT, as kde is using only
one main process to access the network, if you allow the main process (kdeinit, kio), any other applications could bypass this restriction
by using the kdeinit process.
When I'm doing a 'ps -aux', the network access by kmail is listed something like this :
"kdeinit: kio_pop3 pop3 /tmp/ksocket-theuser/klauncherXETOia.slave-socket /tmp/ksocket-theuser/kmailqYLAqc.slave-socket"
Let's say I want to allow outgoing traffic only for kmail, it is not possible because of this kdeinit implementation (as far as i know). To allow kmail, 
I need to allow the parent process 'kdeinit'
Let's take mozilla, if I want to add mozilla to the allowed outgoing traffic, it is possible, because mozilla uses a direct access to network interface.
As its PID name is listed as 'mozilla-bin', I can add a new rule to iptables like 'iptables -A OUTPUT -m owner --cmd-owner mozilla-bin -j ACCEPT'.
But such thing is not possible with kmail or konqueror. Nor by PID or PID name, as it is not the kmail or konqueror PID that is acessing the network.

So my question is : is there a way to 'detach' konqueror or kmail or the other kde application of the kio thing so that they have direct access to the network?

Thanks for your help.

M.H
___________________________________________________
This message is from the kde mailing list.
Account management:  http://mail.kde.org/mailman/listinfo/kde.
Archives: http://lists.kde.org/.
More info: http://www.kde.org/faq.html.

More information about the kde mailing list