Running Linux Guest in less than CP Privilege Class G

An IBM Redpaper publication

Note: This is publication is now archived. For reference only.

Published 25 May 2004, updated 11 June 2004

cover image

IBM Form #: REDP-3870-00

More options

Rate and comment

Authors: Rob van der Heij,


This paper provides guidance for hardening a z/VM system running Linux virtual machines in a hostile environment. Access to specific CP commands and resources is granted to a VM user based on the privilege classes assigned to the user. Good security practices dictate that a VM user should be granted as low a privilege class as possible. Linux virtual machines typically run in the lowest default CP privilege (class G). z/VM allows a system administrator to create a user defined privilege class, and to add specific CP commands to that privilege class. In this redpaper, we identify the CP commands and diagnose codes required to run Linux in a virtual machine. We then discuss a procedure to create a user defined privilege class, which has access only to those commands and diagnose codes required to run Linux guests. This privilege class has access to fewer commands and diagnose codes than the default G class.

Table of contents

Interaction with CP
Communication between virtual machines
Additonal z/VM resources
An alternative approach
Sample MODIFY statements for the default z/VM 4.4 installation

Others who read this publication also read

Follow IBM Redbooks

Follow IBM Redbooks