This part of the document by Hans Lermen, <lermen@fgan.de> on Apr 6, 1997.
These are the hints we give you, when running dosemu on a machine that is (even temporary) connected to the internet or other machines, or that otherwise allows 'foreign' people login to your machine.
Don't set the "s" bit, as DOSEMU can run in lowfeature mode without the "s" bit set. If you want fullfeatures for some of your users, it is recommended to use "sudo". Alternatively you can just use the keyword `nosuidroot' in /etc/dosemu.users to forbid some (or all) users execution of a suid root running dosemu (they may use a non-suid root copy of the binary though). DOSEMU now drops its root privileges before booting; however there may still be security problems in the initialization code, and by making DOSEMU suid-root you can give users direct access to resources they don't normally have access too, such as selected I/O ports, hardware IRQs and hardware RAM. For any direct hardware access you must always use the "-s" switch.
If DOSEMU is invoked via "sudo" then it will automatically switch to the user who invoked "sudo". An example /etc/sudoers entry is this:
joeuser hostname=(root) NOPASSWD: /usr/local/bin/dosemu.bin |
Use proper file permissions to restrict access to a suid root DOSEMU binary in addition to /etc/dosemu.users `nosuidroot'. ( double security is better ).
NEVER let foreign users execute dosemu under root login !!! (Starting with dosemu-0.66.1.4 this isn't necessary any more, all functionality should also be available when running as user)