-2

Is it possible for a service provider to access my data without knowing the root password? Is there a way to change the root password without ejecting the disk somehow?

Update:

I'm wondering whether the company that provides me physical server (not VM) is able to read my data without being detected, without even shutting down the machine, if they have physical access to the machine.

Oleg
  • 289
  • 3
  • 11
  • They have access to the disk, so of course. Even if you encrypted the disk, it's easily possible for them to make some kind of hardware/software modification that releases your keys once access is attempted. – Ammar Bandukwala Jul 22 '16 at 10:06
  • Thanks, @AmmarBandukwala. Does this procedure require turning off the server and ejecting the disk? Or they can do it even without being detected? – Oleg Jul 22 '16 at 11:27
  • What do you mean by 'ejecting the disk'? – schroeder Jul 22 '16 at 17:35
  • @schroeder I mean physically remove disk from the machine. – Oleg Jul 22 '16 at 17:36
  • Are you talking about a physical computer or a VM? Can the attacker shut the computer down? Physically dismantle it? Is it OK if what they do is detectable, or must the attack be secret? – Neil Smithline Jul 22 '16 at 20:39
  • @neilsmithline sorry, i'm not a native english speaker. Im talking about a physical server. And im wondering whether the company that provides me this server is able to read my data without being detected, without even shutting down the machine. Sorry if i confused you. I have to learn english harder) – Oleg Jul 23 '16 at 06:01
  • Not a problem @Curious. I'm glad you got an answer. – Neil Smithline Jul 23 '16 at 16:17

1 Answers1

4

If someone has physical access to a machine, the root password is no longer a protection. Among things that can be done (from simpler to harder):

  • interrupt a boot sequence. Some systems directly open a shell with root account without asking for password in order to allow the operator to try to recover manually after a major disaster (lost of password file, /bin/bash, network...)
  • boot the machine from a removable media (DVD or USB stick) containing a system compatible with the disk, then mount the disk (read only if you do not want to leave traces and have nothing to change).
  • remove the disk from the machine and mount it on another system having drivers for it.

Any of this methods allow to change the password file for example by adding a new admin account (UID=0 on Unix-Linux)

As said by @DKNUCKLES in comment, any of the above method can be used on a physical server but they suppose a reboot. If you have only a VM, any of them can be used with a backup (or a snapshot) of the VM, which cannot be detected at all from the running VM.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • 1
    It should also be said that while the methods above all require a reboot of sorts, these can be attempted against a restored VM from a backup your service provider has taken in which case it would be invisible to you and you would never know they've even attempted to get into your VM. – DKNUCKLES Jul 22 '16 at 13:10
  • 1
    @DKNUCKLES: Thanks for the comment. As OP spoke of a dedicated server, I understood that it was a physical server - but really unsure because english is not my first language. Anyway your comment adds value and I have edited my post with it. – Serge Ballesta Jul 22 '16 at 13:57