This part of the document by Hans Lermen, <lermen@fgan.de> on Apr 6, 1997.
These are the hints we give you, when running dosemu on a machine that is (even temporary) connected to the internet or other machines, or that otherwise allows 'foreign' people login to your machine.
Don't set the -s bit, as of dosemu-0.97.10 DOSEMU can run in lowfeature mode without the -s bit set. If you want fullfeatures for some of your users, just use the keyword `nosuidroot' in /etc/dosemu.users to forbid some (or all) users execution of a suid root running dosemu (they may use a non-suid root copy of the binary though).
Use proper file permissions to restrict access to a suid root DOSEMU binary in addition to /etc/dosemu.users `nosuidroot'. ( double security is better ).
NEVER let foreign users execute dosemu under root login !!! (Starting with dosemu-0.66.1.4 this isn't necessary any more, all functionality should also be available when running as user)
Do not configure dosemu with the --enable-runasroot option. Normally dosemu will switch privileges off at startup and only set them on, when it needs them. With '--enable-runasroot' it would permanently run under root privileges and only disable them when accessing secure relevant resources, ... not so good.
Never allow DPMI programms to run, when dosemu is suid root.
(in /etc/dosemu.conf set 'dpmi off' to disable)
It is possible to overwrite sensitive parts of the emulator code, and this makes it possible for a intruder program under DOS, who knows about dosemu internals (which is easy as you have the source) to get root access also on non dosemu processes. Because a lot of games won't work without, we allow creation of LDT-descriptor that span the whole user space.
There is a 'secure' option in /etc/dosemu.conf, that allows to turn off creation of above mentioned descriptors, but those currently protect only the dosemu code and the stack, and may be some diabolical person finds a way to use the (unprotected) heap.
Anyway, better 'secure on' than nothing.