New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Hostsailor experience - wants my root password
anubhavhirani
Member
in Reviews
I asked support to enable AMD-V, they asked for my root password, I asked if they are serious about it, they resetted my root password without my permission???? What is going on? Can anyone explain is this normal?
This discussion has been closed.
Comments
@HostSailor
Resetting password without permission is odd, to say at least.
@HostSailor
I’m awaiting a full refund. There’s no way I’m hosting anything on your server if your support keeps resetting my password and, in the future, could potentially peek at data from my multi-billion-dollar company.
Invoice #422217
Not the first and the last. This happens when support is outsourced and no appropriate tools provided for work. Shame, but not incompetence. Shame can be mitigated with decent enough discount.
tbf, if u using vps,keeping ur root password doesn't prevent the host from peeking at ur data if they really wanted to. since they control the hypervisor, they can just mount ur disk image or boot into rescue mode to access ur files without needing ur specific password.
and if u encrypt vps with luks, host still can access by dump ram if they really wanted to.
this is not only specific host.
but I think resetting password without permission is odd too
@anubhavhirani Thanks for raising this and sorry for the confusion caused. let me please clarify.
About AES-NI / VM-x / AMD-V:
On our VPS offerings, these features depend on the underlying node configuration and CPU virtualization exposure. They are not guaranteed on all VPS plans by default, and this is not something that can be enabled from inside the VM by the customer.
Important clarification:
At no point do we require or need a customer’s root password to enable AMD-V or AES-NI. If this was communicated incorrectly via live chat, that’s on us, and we’ve flagged it internally.
Regarding the password reset:
Resetting the root password without explicit confirmation should not have happened, and we sincerely apologize for that. This has been escalated internally so it doesn’t repeat.
We’re happy to offer a full refund under our refund policy or happy to compensate with special exclusive offer for you.
HostSailor has been operating for over a decade, and situations like this can happen sometimes.
Appreciate the feedback. it helps us improve both documentation and support handling.
Appreciate you owning up. Part of the reason why I transferred my service away from you was horrible support. But I guess that ship has now sailed for me. Hopefully @anubhavhirani can find a way to make this work.
Had this with a few hosters before - all outsourced their "helpdesk" to India, so it became helldesks. Even when solving problems have nothing to do with getting access to a VPS, and you provide more than enough information, they still ask for root passwords.
I'm lucky enough to have most of my VPSes provisioned with Ansible, so I usually change password and do a re-install after it.
I would like recurring upgrade to any of these if possible at same cost:
anyway nice gesture to say that they reset the root password.
Often this is even not mentioned by yolo support, resulting in another incident for a lost root pasword reset.
First thing I did after getting informed is reset the machine to random OS in order to erase data.
So HostSailor reset the password and logged in to OP’s server without permission …
They apologized for the password reset …
And then finished off with this:
And everyone is happy.
If I remember correctly, this was done by another host. Was it charity host?
Would situations like this continue to happen, is the question to be asked today.
to think that your cloud provider has no access over your data is wrong. even when the drives are encrypted. yes even when you encrypt the partitions.
Welp! At least no other provider has ever reset the password without permission, happened with me first time and I didn't know what exact steps to take next.
THIS
They don't actually need your root password for anything.
Chances are you have qemu-ga installed anyway, so they can just shell into your VPS whatever.
If you have disabled that, they can just access files directly in the disk image if they really wanted to.
If you encrypted your disk, they can still access the memory of your VPS from the host. If you have any keys or secrets sitting in plaintext in memory, then they could access it all if they really cared to.
Of course, the truth is that none of this ever happens. Nobody cares about you and your data. Unless they are charity host and they want to see what porn you have.
I would expand that sometimes law enforcement asks for customer VPS drive and RAM dump. Very rare but worth to mention.
Claiming that the provider has access to an encrypted VPS is incorrect. While it could theoretically be hacked (though this is close to impossible in real life), that is not the same as the provider having direct access.
What you could check instead is whether the provider has installed qemu-guest-agent with guest-exec enabled without your permission.
luckily not all LETers are that naive
Update:
As per support I will be upgraded to the following specs as compensation:
4 cores (AMD EPYC 9534 64-Core Processor)
4GB RAM
100GB NVMe
$16.18 per year.
Original specs:
2 cores (AMD EPYC 9534 64-Core Processor)
2GB RAM
50GB NVMe
$16.18 per year.
It will take few hours to upgrade (not sure why) as per support.
I'm yet to see any template from any provider that has a small restricted set of permissions for qemu-ga.
By default everything is allowed and no one seems to care (if qemu-ga is installed).
And from what I have seen in VirtFusion (which is what everyone is migrating TO now), it does run meminfo to get memory details from within the guest - at least in some setups. Of course it is convenient to have the agent at least for some operations (like graceful shutdowns).
Not having it within the VM seems to be more of an irritant than any major consequence.
Congratulations! You have something to celebrate.
Just placed on order for chicken biryani on top of upgrade.
that udeek fellow reinstalled my vps, deleted everything without even asking if i wanted to lnstall Debian 13..
Was only requesting for them to add a Debian 13 iso since the newest version they had was Debian 10 which also does not work. really frustrating.
They'll need time to think up a new root password for you
@HostSailor please change my password to!!!
it is done, thanks @HostSailor
Oh my fucking god
This is exactly the nightmare I have about interacting with retarded support agents, not just in hosting but in IT as a whole.
You ask them for a level 0 info of X and they go all the way to level 100 and reply with “saar, as requested X + Y + Z has been done.”
I would pass. Enough resources to chose from on LET.
In their defence, what's the point in asking about a Debian 13 iso if you didn't intend to install it?