[DOSEMU Logo]
DOSEMU.org

| Home | | Developer Releases | | Stable Releases | | Documentation |

Home
README  - 0.97.10
Technical README
HOWTO
DANG
EMUfailure
Misc
Next Previous Contents

3. Security

This part of the document by Hans Lermen, <lermen@fgan.de> on Apr 6, 1997.

These are the hints we give you, when running dosemu on a machine that is (even temporary) connected to the internet or other machines, or that otherwise allows 'foreign' people login to your machine.

  • Don't set the -s bit, as of dosemu-0.97.10 DOSEMU can run in lowfeature mode without the -s bit set. If you want fullfeatures for some of your users, just use the keyword `nosuidroot' in /etc/dosemu.users to forbid some (or all) users execution of a suid root running dosemu (they may use a non-suid root copy of the binary though).
  • Use proper file permissions to restrict access to a suid root DOSEMU binary in addition to /etc/dosemu.users `nosuidroot'. ( double security is better ).
  • NEVER let foreign users execute dosemu under root login !!! (Starting with dosemu-0.66.1.4 this isn't necessary any more, all functionality should also be available when running as user)
  • Do not configure dosemu with the --enable-runasroot option. Normally dosemu will switch privileges off at startup and only set them on, when it needs them. With '--enable-runasroot' it would permanently run under root privileges and only disable them when accessing secure relevant resources, ... not so good.
  • Never allow DPMI programms to run, when dosemu is suid root.

    (in /etc/dosemu.conf set 'dpmi off' to disable)

    It is possible to overwrite sensitive parts of the emulator code, and this makes it possible for a intruder program under DOS, who knows about dosemu interna (what is easy as you have the source) to get root access also on non dosemu processes. Because a lot of games won't work without, we allow creation of LDT-descriptor that span the whole user space.

    There is a 'secure' option in /etc/dosemu.conf, that allows to turn off creation of above mentioned descritors, but those currently protect only the dosemu code and the stack, may be some diabolic person finds a way to use the (unprotected) heap in his sense of humor.

    Anyway, better 'secure on' then nothing.

  • Never allow the 'system.com' command (part of dosemu) to be executed. It makes dosemu execute the libc 'system() function'. Though privileges are turned off, the process inherits the switched uid-setting (uid=root, euid=user), hence the unix process can use setreuid to gain root access back. ... the rest you can imagine your self. Use of 'system' can be disabled by the 'secure on' option in /etc/dosemu.conf

    The 'unix.com' command (also part of dosemu) does _not_ have this security hole: before execution a separate process is forked that completely drops prililege, ... hence no danger (will no longer be disbaled by 'secure on').


Next Previous Contents
 
The DOSEMU team