<sect>Security
<p>
This part of the document by Hans Lermen, 
<htmlurl url="mailto:lermen@fgan.de" name="&lt;lermen@fgan.de&gt;"> 
on Apr 6, 1997.
<p>

These are the hints we give you, when running dosemu on a machine that is
(even temporary) connected to the internet or other machines, or that
otherwise allows 'foreign' people login to your machine.

<itemize>

<item> Don't set the -s bit, as of dosemu-0.97.10 DOSEMU can run in
   lowfeature mode without the -s bit set. If you want fullfeatures
   for some of your users, just use the keyword `nosuidroot' in
   /etc/dosemu.users to forbid some (or all) users execution of
   a suid root running dosemu (they may use a non-suid root copy of
   the binary though).

<item> Use proper file permissions to restrict access to a
   suid root DOSEMU binary in addition to /etc/dosemu.users `nosuidroot'.
   ( double security is better ).

<item> <em/NEVER/ let foreign users execute dosemu under root login !!!
   (Starting with dosemu-0.66.1.4 this isn't necessary any more,
   all functionality should also be available when running as user)

<item> Do <em/not/ configure dosemu with the --enable-runasroot option.
   Normally dosemu will switch privileges off at startup and only
   set them on, when it needs them. With '--enable-runasroot' it
   would permanently run under root privileges and only disable them
   when accessing secure relevant resources, ... not so good.

<item> Never allow DPMI programms to run, when dosemu is suid root.

<p>
   (in /etc/dosemu.conf set 'dpmi off' to disable)
<p>
   It is possible to overwrite sensitive parts of the emulator code,
   and this makes it possible for a intruder program under DOS,
   who knows about dosemu interna (what is easy as you have the source)
   to get root access also on non dosemu processes.
   Because a lot of games won't work without, we allow creation
   of LDT-descriptor that span the whole user space.
<p>
   There is a 'secure' option in /etc/dosemu.conf, that allows to turn
   off creation of above mentioned descritors, but those currently protect
   only the dosemu code and the stack, may be some diabolic person finds
   a way to use the (unprotected) heap in his sense of humor.
<p>
   Anyway, better 'secure on' then nothing.

</itemize>
