views:

531

answers:

4

I've got rather poor knowledge of *nix virtualization capabilities and trying to clarify one thing. If one has root on host machine, does it always mean that he has root on all VMs of that host? If yes, then could there be a bogus setup where this is not true?

I'm asking cause I heard two different answers to that question from two different admins. One said that he has root to everything, another claimed that he don't and he needs my password.

Please share your experience with VPS hosting providers, do they have roots to your environment?


It's not that I'm afraid to lose the data, just want to have some insights and words to google for ;-) Thanks everyone!

A: 
  1. If you change your root password and don't give it to anyone, you are the only one that can log in as root.

  2. If someone has ever had your root password, it is very hard (dang near impossible) to know that they didn't place some kind of backdoor on the system to allow them to regain privileges by any number of mechanisms. That "someone" could be the tech at your host that setup your VPS, or anyone else, for that matter.

  3. Just because someone has the root password to the host, does not mean they have the root password to your virtual machine - however, it likely does mean that they could do mean, nasty things to you in all kinds of painfully creative ways (changing the contents of your filesystem...presumably they could even bit-mangle enough to change your root password to something they do know.)

Jared
+2  A: 

Ultimately, having root on the VM host is the same as having physical access to a regular machine. They can't just "login" to the VM as root (well, you can with some virtualisation technologies like OpenVZ) but they can get into the VM's filesystem, change the root password (or install something to capture the password) and go from there.

You need to have exactly the same trust in your VPS hosting service provider as you do with your colo provider, because they have exactly the same level of access and ability to do bad things to your service.

womble
A: 

You seem a little confused about how virtualization works. Consider if your question was the following:

"If I let someone sit down at my computer, do they have root access?"

A virtual machine is basically just an image that "represents" that machine. It's conceptually no different than if you had your own physical machine controlled by the hosting provider.

One exception could be dependent on the provider's setup process. Do they ask you for an initial root password to set up your VPS with? If so, they could record that, but once you log into your environment for the first time, if you change it they should no longer have any knowledge of it.

Chad Birch
+2  A: 

For VPS providers who use Virtuozzo which is based on OpenVZ, the root of the host does have access to the whole filesystem (even the guest's). And with a simple command like

vzctl enter <VM_ID>

They gain root and can pretty much do anything they like.

I agree about trust mentioned by womble.

Ady Romantika