On Wednesday, 04/22/2009 at 04:47 EDT, RPN01 <[email protected]> wrote: > None of the z/Linux guests run in anything more than a class G user on z/VM, > so they really don't have any "magic" facilities within z/VM via the root > userid. For the images that the end user has root access, if they want to > mess around and screw up their virtual machine, isn't that their right? And > a simple logout / login will reset anything they've done, because DirMaint > is a CMS facility, and CMS isn't running there for them to invoke any > commands.
How many ways are there for two class G users to establish a communications path? - ADRSPACE PERMIT (not allowed in Linux due to DAT ON) - virtual CTC - Transient Guest LANs (class G DEFINE LAN) - MSG - Spool - VMCF - IUCV - APPC - SET SECUSER - TCP/IP - Shared disk - Are there others? Are those two users authorized to establish such connections? > In addition, the users with root access are from an Intel background, and > would have to find and implement the z/VM additions before they could even > begin to touch their environment. While it could happen, it isn't likely. Security by obscurity is a discredited practice. If there be gold, there be pirates. Avast! I work from the premise that all guests are Evil (but may Redeem themselves) and all z/VM sysadmins are Good. If Mayo IT security policy approaches the world differently, that's ok - I cannot gainsay it. But as a security professional, I have to question it, as I would any environment where significant financial or personal information is at risk, or where lives may hang in the balance. Are your backup tapes encrypted? But this is all rote for me and has to be kept in perspective. If the guests don't have access to any sensitive data and can't get to any sensitive networks and don't control any critical processes, then it may not be worth worrying about and all you need to do is fix your provisioning process to include the needed authorizations. Recall that DIRMAINT has exits. Perhaps they can help you add the needed authorizations to the directory entries automatically. Alan Altmark z/VM Development IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
