2

Currently it is possible to execute arbitrary code in Konsole through its D-Bus interface. When you try to do this right now, there pops up a cute warning message:

The D-Bus methods sendText/runCommand were just used. There are security concerns about allowing these methods to be public. If desired, these methods can be changed to internal use only by re-compiling Konsole. This warning will only show once for this Konsole instance.

Can we please have a way to make these methods unavailable more easily? Advising to recompile Konsole does not sound especially user friendly to me. At the very least there should be a hidden pref, so it can be put into /etc/kde5rc and made immutable, in order to enforce it. A probably better way would be to use KAuthorized here, so that once KDE Confine is ready, users can easily switch it off or on in their system settings.

If you ask me, this feature should actually be off by default, and the message should guide you to turn it on if there is a need.

I'll agree that's a potential security hole. Imagine a user has konsole open with a root shell running; then a malicious process could use this dbus instruct konsole to run whatever commands in that shell.

I imagine that feature was put in place to allow other apps to interact with an open konsole, instead of using an embedded instance?

I agree with the suggestion to have it disabled by default.