[SLL] sharing superuser account is always bad policy, right?
nicafyl
nicafyl at gmail.com
Thu Feb 5 09:51:42 PST 2009
Yuck! Take a look at easyspeedy.com. They are relatively inexpensive,
reliable and have an amazing system for administering your server. You can
pick your OS from a big set of choices from your control panel which doesn't
run on the server and have it auto-install. There are also recovery features
that run away from your actual server.
When I needed dedicated servers, I used them. Also, they are in Denmark
which I saw a a big plus.
On Thu, Feb 5, 2009 at 11:24 AM, Phil Mocek <pmocek-sll at mocek.org> wrote:
> I'm concerned about the security policies of a Web hosting company
> who also provides dedicated Linux servers.
>
> The company I'm working for recently rented a dedicated server
> with CentOS 5 from a third party to run their revision control and
> issue tracking systems. This hosting company, CrystalTech,
> provides some minimal level of administration, but the machine
> will generally be administered by me.
>
> I changed the superuser password for the new machine immediately
> after it was displayed to me by their customer control panel Web
> app.
>
> I noticed some syslog messages about a temperature threshold
> having been exceeded, resulting in CPU throttling, so I opened a
> support ticket to have them ensure that there isn't a ventilation
> problem. They responded by telling me that the root password no
> longer worked and that they need it in order to look at the log
> files. They asked me to post credentials to the ticket for them.
>
> Setting aside the fact that they stored the password for root in
> cleartext -- on a Web server -- then asked me to communicate it in
> a ticketing system that echoes to e-mail, their staff and me
> sharing the root account seems like a bad idea.
>
> Because of this and a few other red flags, I'm tempted to
> recommend finding a dedicated server elsewhere (this company was
> chosen because they're inexpensive and my associate has known them
> to provide satisfactory Windows hosting in the past) but I don't
> want to overreact.
>
> Is this practice typical among "Web hosting" companies who provide
> dedicated Linux servers?
>
> --
> Phil Mocek
>
--
Phil Hughes
nicafyl at gmail.com -- phil at ctpni.com
More information about the linux-list
mailing list