Each time DoD pops up, someone questions the authenticity of the `dos` label — and I remain unsure of the correct response.
I think for now I’ll say —
If you believe a more authentic DoD can be created, I agree and I’ll be its first fan. I’m at the point where I think — if it’s worth being pointed out then it’s worth implementing. Bring it!!
I am literally asking whether this can run on DOS. It’s become clear that it can’t, and words mean things. Given the article is about running web servers literally on DOS, I think we can safely say it’s been brought.
Yes, and a lot of the functionality it uses isn't available in real DOS. It's a bit like in the UNIX world the difference between bash and sh, perhaps more so.
I thought at first it's gonna be redbean (https://redbean.dev), but turns out Cosmo/APE (despite the .com file extension) "only" supports x86-64/Windows.
I like the idea of using the attached screen to scroll logs / show stats. My next server build has a 9" touchscreen on the front panel, and I'm looking for ideas on what (&how) to show there.
It's cool and all, but does FreeDOS support something similar to Data Execution Prevention? I know MS-DOS probably don't have it, and searching "'FreeDOS' 'Data Execution Prevention'" on DuckDuckGo yielded no result.
Serious answer to silly question: DOS applications have full control over the hardware, so it's entirely up to them. In real / V86 mode, there is no distinction between code and data pages, however you can have separate segments for code, data and stack.
There are separate CPU instructions for "near" and "far" jump/call/return, and if all code fits into a single 64K segment ("small model"), there would be no need to ever have the "far" version of these instructions in your code. So if for example a return address or function pointer were overwritten, there would still be no way for an attacker to execute data, since it is in a different segment and all control transfer would be limited to the current code segment.
A lot of the more modern software included in FreeDOS is compiled with GCC and uses a flat 32-bit address space, so it doesn't have that protection. Most of it is command line utilities ported from UNIX-like systems, with even the most trivial of them being more than 100K in file size - IMO this goes very much against the "spirit" of DOS!
It should be possible to modify the compiler and runtime library to use separate segments for code and data. Since there is no size limit in 32-bit mode, there would be no need for far pointers, just two separate address spaces. Of course the UNIX and RISC zealots don't like this because it isn't portable to every other CPU, as if that matters somehow.
Enabling page-based DEP would also be theoretically possible, but require even more effort, I think. And for what purpose?
The question might looked silly now, but the originally submitted title was "How to run a DOS-based Web Server (seriously)". Which is still the title of the article.
Since it was including the word "seriously", I thought maybe I should just ask about it for sure. It's not really fun if it's a simple web page hosted on FreeDOS one fine day, a hacked BIOS another.
I got it, it's a fun project made for fun, but still, security is always something to think about.
I learned it the hard way from my childhood SOCKS 5 proxy experiment where I tested a SOCKS 5 proxy on public network. Long story short, within 2 days of running it, one guy discovered the port via scanning, proxied it to login to my ISP account without a password (that's how the ISP set it up), and then stole all the funds in it by purchasing value add-on services for himself. It was a seemingly an all harmless and fun experiment until that happened.
My point it, if the OS don't support such basic security feature (and many other security features), maybe it's just not worth the effort? (other than just-for-fun of course)
