[SLL] sharing superuser account is always bad policy, right?

Derek Simkowiak dereks at realloc.net
Thu Feb 5 13:27:58 PST 2009 

    Re: superuser account sharing: Yes, that is /always/ bad policy.  
All actions should be traceable to a single individual (whose access can 
be revoked at any time).

    If people share root, without going through some intermediate auth 
phase (like using sudo or SSH keys), then there is no accountability.  
If somebody does "rm -rf /" in the middle of the night, who did it?  One 
of your admins?  One of their admins?  A cracker? 

    With sudo or SSH, you can have syslog send the specific login 
account to a hardened syslog server.  IANAL but I think your hosting 
company's policies means you are not complying with Sarbanes-Oxley or 
HIPAA.  Not to mention the fact that you are giving complete strangers 
(whose names you do not know) full access to your company's data...

    Combine that with the other violations of basic common sense (like 
plaintext root password in web and email!!!) and it's time to run 
screaming.  Check out http://take2hosting.com/ as an alternative.

    As an aside, I've seen some pretty dumb things done with passwords.  
My favorite is an industrial accounting and inventory program (whose 
name I won't mention due to NDA).  With version 5, the app stored all 
info in an MS-Access file.  The MS-Access file was password-protected 
(although you can bypass MS-Access passwords by using the Open Source 
tool MDB Tools -- the MS-Access password doesn't actually encrypt 
anything, it just tells Access to show an "access denied" dialog box to 
the user).

    In version 6, the software vendor "upgraded" from MS Access to using 
MS SQL Server as their backend storage.  Simply going through their 
upgrade installer would cause SQL Server to get installed on your MS box 
-- with the network port exposed -- and without telling the user 
anything about it.

    Sound bad?  Here's the kicker... the password to access the SQL 
Server data is the same for every customer (One Master Password) -- AND 
THE VENDOR PUBLISHES THAT MASTER PASSWORD ON THEIR WEBSITE, in their 
FAQ.  (And yes, the password is a dictionary word, subject to brute 
force attack.)

    So, you're running a Windows box to track all your customer, 
accounting, and inventory information.  You decide to upgrade your 
accounting software, and now anybody who can get a TCP/IP connection to 
your Windows box can read (or delete) all your data.

    So, I guess by the standards of the Microsoft world, putting a 
"root" password into email isn't such a big deal. :)


--Derek

On 02/05/2009 09:24 AM, Phil Mocek wrote:
> I'm concerned about the security policies of a Web hosting company
> who also provides dedicated Linux servers.
>
> The company I'm working for recently rented a dedicated server
> with CentOS 5 from a third party to run their revision control and
> issue tracking systems.  This hosting company, CrystalTech,
> provides some minimal level of administration, but the machine
> will generally be administered by me.
>
> I changed the superuser password for the new machine immediately
> after it was displayed to me by their customer control panel Web
> app.
>
> I noticed some syslog messages about a temperature threshold
> having been exceeded, resulting in CPU throttling, so I opened a
> support ticket to have them ensure that there isn't a ventilation
> problem.  They responded by telling me that the root password no
> longer worked and that they need it in order to look at the log
> files.  They asked me to post credentials to the ticket for them.
>
> Setting aside the fact that they stored the password for root in
> cleartext -- on a Web server -- then asked me to communicate it in
> a ticketing system that echoes to e-mail, their staff and me
> sharing the root account seems like a bad idea.
>
> Because of this and a few other red flags, I'm tempted to
> recommend finding a dedicated server elsewhere (this company was
> chosen because they're inexpensive and my associate has known them
> to provide satisfactory Windows hosting in the past) but I don't
> want to overreact.
>
> Is this practice typical among "Web hosting" companies who provide
> dedicated Linux servers?
>
>

More information about the linux-list mailing list