- Package:
- kdeconnect
- Source:
- kdeconnect
- Description:
- connect smartphones to your desktop devices
- Submitter:
- Witold Baryluk
- Date:
- 2024-05-09 12:51:05 UTC
- Severity:
- normal
- Tags:
Dear Maintainer,
I do not use KDE. I use MATE, but do have many kde packages installed via
some high level kde packages. I did not install kdeconnect directly.
I did not start any KDE program.
Yet, kdeconnectd is running, and listening on port 1716 on all
interfaces, including the one on public internet directly. (I routinly
scan my computers from external networks, so this is how I found it out)
root@debian:~# ps aux | grep kdeco
user 3593 0.0 0.0 590196 70460 ? SLl Oct30 0:09 /usr/lib/x86_64-linux-gnu/libexec/kdeconnectd
root@debian:~# ss -apn | grep kdeconnect
u_str ESTAB 0 0 * 799 * 11887 users:(("kdeconnectd",pid=3593,fd=7))
u_str ESTAB 0 0 * 797 * 20707 users:(("kdeconnectd",pid=3593,fd=6))
u_str ESTAB 0 0 * 42286 * 17937 users:(("kdeconnectd",pid=3593,fd=13))
u_str ESTAB 0 0 * 5949 * 39446 users:(("kdeconnectd",pid=3593,fd=16))
u_str ESTAB 0 0 * 28882 * 35128 users:(("kdeconnectd",pid=3593,fd=11))
u_str ESTAB 0 0 * 42285 * 795 users:(("kdeconnectd",pid=3593,fd=3))
u_str ESTAB 0 0 * 8474 * 2666 users:(("kdeconnectd",pid=3593,fd=15))
u_str ESTAB 0 0 * 39447 * 11888 users:(("kdeconnectd",pid=3593,fd=17))
u_str ESTAB 0 0 * 39448 * 17952 users:(("kdeconnectd",pid=3593,fd=18))
udp UNCONN 0 0 *:1716 *:* users:(("kdeconnectd",pid=3593,fd=20))
tcp LISTEN 0 50 *:1716 *:* users:(("kdeconnectd",pid=3593,fd=21))
Looking at kde connect, it looks like a cool project, but maybe some form
of explicit confirmation, or starting it first should be required, before
it activates like that?
I might be ok with ssh or http server doing this, but I do not think it
is good idea to do so by most other packages just by mere fact of
installing them, but not configuring them.
kdeconnect and nftlb are really the only two packages (out of 9013 on my
system) doing this, when they probably should not.
Regards,
Witold
severity -1 serious tags -1 security thanks Elevating severity, because it looks like I didn't even installed this package (I did inspect all apt-get install invokations since system creation), and it kdeconnect could only be installed due to some suggests / recommends, not due to any dependency or direct request. And as mentioned already before. It autostarts on desktop login, even if one does not use KDE (it autostarts in normal gnome-shell session for example). So this is even more dangerous.
Hi Witold, On Tue, 07 May 2024 02:36:46 +0000 Witold Baryluk <witold.baryluk@gmail.com> wrote: [...] suspect it was likely a recommendation of another package. Regarding the issue at hand: I can see why you consider this a problem. But unfortunately, there is no way of changing that behaviour, I suspect the behaviour might be intentional. People have requested this feature upstream (https:// bugs.kde.org/show_bug.cgi?id=432378) and even asked for ways to disable kdeconnectd (https://bugs.kde.org/show_bug.cgi?id=417615). The latter bug report could give you ideas how to achieve that. If this issue poses a serious problem for you, you can remove kdeconnect from your system. That might also give you a hint why it was installed in the first place. Upstream KDE actually recommends installing kdeconnect as part of the Plasma installation. Whether that recommendation fits the Debian's recommendation, is yet to be determined and we might have to see over the recommendation. However, I do disagree about the severity of this. I don't think that this issue warrants the removal of kdeconnect from Debian and hence, I'm lowering it to important.