[SLL] sharing superuser account is always bad policy, right?

[Phil Mocek]

I'm concerned about the security policies of a Web hosting company
who also provides dedicated Linux servers.

The company I'm working for recently rented a dedicated server
with CentOS 5 from a third party to run their revision control and
issue tracking systems.  This hosting company, CrystalTech,
provides some minimal level of administration, but the machine
will generally be administered by me.

I changed the superuser password for the new machine immediately
after it was displayed to me by their customer control panel Web
app.

I noticed some syslog messages about a temperature threshold
having been exceeded, resulting in CPU throttling, so I opened a
support ticket to have them ensure that there isn't a ventilation
problem.  They responded by telling me that the root password no
longer worked and that they need it in order to look at the log
files.  They asked me to post credentials to the ticket for them.

Setting aside the fact that they stored the password for root in
cleartext -- on a Web server -- then asked me to communicate it in
a ticketing system that echoes to e-mail, their staff and me
sharing the root account seems like a bad idea.

Because of this and a few other red flags, I'm tempted to
recommend finding a dedicated server elsewhere (this company was
chosen because they're inexpensive and my associate has known them
to provide satisfactory Windows hosting in the past) but I don't
want to overreact.

Is this practice typical among "Web hosting" companies who provide
dedicated Linux servers?

-- 
Phil Mocek