On Wednesday, 04/22/2009 at 04:47 EDT, RPN01 <[email protected]> wrote:
> None of the z/Linux guests run in anything more than a class G user on
z/VM,
> so they really don't have any "magic" facilities within z/VM via the
root
> userid. For the images that the end user has root access, if they want
to
> mess around and screw up their virtual machine, isn't that their right?
And
> a simple logout / login will reset anything they've done, because
DirMaint
> is a CMS facility, and CMS isn't running there for them to invoke any
> commands.

How many ways are there for two class G users to establish a
communications path?
- ADRSPACE PERMIT (not allowed in Linux due to DAT ON)
- virtual CTC
- Transient Guest LANs (class G DEFINE LAN)
- MSG
- Spool
- VMCF
- IUCV
- APPC
- SET SECUSER
- TCP/IP
- Shared disk
- Are there others?

Are those two users authorized to establish such connections?

> In addition, the users with root access are from an Intel background,
and
> would have to find and implement the z/VM additions before they could
even
> begin to touch their environment. While it could happen, it isn't
likely.

Security by obscurity is a discredited practice.  If there be gold, there
be pirates.  Avast!

I work from the premise that all guests are Evil (but may Redeem
themselves) and all z/VM sysadmins are Good.  If Mayo IT security policy
approaches the world differently, that's ok - I cannot gainsay it.  But as
a security professional, I have to question it, as I would any environment
where significant financial or personal information is at risk, or where
lives may hang in the balance.

Are your backup tapes encrypted?

But this is all rote for me and has to be kept in perspective.  If the
guests don't have access to any sensitive data and can't get to any
sensitive networks and don't control any critical processes, then it may
not be worth worrying about and all you need to do is fix your
provisioning process to include the needed authorizations.  Recall that
DIRMAINT has exits.  Perhaps they can help you add the needed
authorizations to the directory entries automatically.

Alan Altmark
z/VM Development
IBM Endicott

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Reply via email to