socat V1.6.0.0 (initial GIT commit)

SECURITY

@@ -0,0 +1,41 @@
+
+Tips for using socat in secured environments:
+
+* Configure socat to only enable the required features, e.g. to protect your
+	filesystem from any accesses through socat: 
+	make distclean
+	./configure --disable-file --disable-creat --disable-gopen \
+		 --disable-pipe	--disable-unix --disable-exec --disable-system
+	use "socat -V" to see what features are still enabled; see 
+	./configure --help  for more options to disable
+
+* Do NOT install socat SUID root or so when you have untrusted users or
+unprivileged daemons on your machine, because the full install of socat can
+override arbitrary files and execute arbitrary programs!
+
+* Set logging to "-d -d" (in special cases even higher)
+
+* With files, protect against symlink attacks with nofollow (Linux), and
+avoid accessing files in world-writable directories like /tmp
+
+* When listening, use bind option (except UNIX domain sockets)
+
+* When listening, use range option (currently only for IP4 sockets)
+
+* When using socat with system, exec, or in a shell script, know what you do
+
+* With system and exec, use absolute pathes or set the path option
+
+* When starting programs with socat, consider using the chroot option (this
+requires root, so use the substuser option too).
+
+* Start socat as root only if required; if so, use substuser option
+Note: starting a SUID program after applying substuser or setuid gives the
+process the SUID owner, which might give root privileges again.
+
+* Socat, like netcat, is what intruders like to have on their victims machine:
+once they have gained a toehold they try to establish a versatile connection 
+back to their attack base, and they want to attack other systems. For both
+purposes, socat could be helpful. Therefore, it might be useful to install
+socat with owner/permissions root:socatgrp/750, and to make all trusted users
+members of group socatgrp.