None of the z/Linux guests run in anything more than a class G user on z/VM, so they really don't have any "magic" facilities within z/VM via the root userid. For the images that the end user has root access, if they want to mess around and screw up their virtual machine, isn't that their right? And a simple logout / login will reset anything they've done, because DirMaint is a CMS facility, and CMS isn't running there for them to invoke any commands.
In addition, the users with root access are from an Intel background, and would have to find and implement the z/VM additions before they could even begin to touch their environment. While it could happen, it isn't likely. -- Robert P. Nix Mayo Foundation .~. RO-OE-5-55 200 First Street SW /V\ 507-284-0844 Rochester, MN 55905 /( )\ ----- ^^-^^ "In theory, theory and practice are the same, but in practice, theory and practice are different." On 4/21/09 6:10 PM, "Rob van der Heij" <[email protected]> wrote: > On Wed, Apr 22, 2009 at 12:09 AM, Patrick Spinler > <[email protected]> wrote: > >>> Your scope should probably include the users of your applications that >>> run on Linux, not just the few people who have legal permission to >>> logon to a VM userid. >> >> Err, why? We already have a heterogeneous Unix LDAP solution that >> serves our virtual linux, distributed linux, solaris, and AIX systems. >> Note that our Z hosted linux guests are only about 1/4 of the total >> number of these. Why in the world would we want to segregate our >> z/Linux security to a completely separate security system than all the >> rest of our unix and linux? > > Ok, I see where this went wrong... You can certainly use those central > solutions to manage application access for Linux on z/VM. > > What I meant to say is that z/VM security is not just for the users > with legal access. Someone with root access on your Linux server could > also do things on z/VM that you don't want. z/VM is your virtual > "raised floor" and when you allow more folks access to the computer > room, you may need to tighten some of the rules and procedures you > follow. > > -Rob > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
