Skip to main content

Running Linux Guest in less than CP Privilege Class G

An IBM Redpaper publication

Note: This is publication is now archived. For reference only.


Published on 25 May 2004, updated 11 June 2004

  1. .PDF (0.3 MB)

Share this page:   

IBM Form #: REDP-3870-00

Authors: der van Rob Heij,

    menu icon


    This paper provides guidance for hardening a z/VM system running Linux virtual machines in a hostile environment. Access to specific CP commands and resources is granted to a VM user based on the privilege classes assigned to the user. Good security practices dictate that a VM user should be granted as low a privilege class as possible. Linux virtual machines typically run in the lowest default CP privilege (class G). z/VM allows a system administrator to create a user defined privilege class, and to add specific CP commands to that privilege class. In this redpaper, we identify the CP commands and diagnose codes required to run Linux in a virtual machine. We then discuss a procedure to create a user defined privilege class, which has access only to those commands and diagnose codes required to run Linux guests. This privilege class has access to fewer commands and diagnose codes than the default G class.

    Table of Contents


    Interaction with CP

    Communication between virtual machines

    Additonal z/VM resources

    An alternative approach

    Sample MODIFY statements for the default z/VM 4.4 installation


    Others who read this also read