# SolusVM and secure passwords still do not work?



## GaleDribble (Dec 8, 2014)

Is this normal still? I remember this happened to me in the past but today I ordered a new server and I generated a random password at sign up but it didn't work. I ticket support and they tell me that they changed my root password and emailed it to me, and their password was just letters/numbers, and said that SolusVM wont accept passwords with special characters in it. Why is it that they don't accept special characters in 2014 when all other places do and when it's recommended?

I always change my password after I setup my server for the first time anyhow and disable password authentication anyway but it is still worrisome. I thought it was a bug a year or two ago when it first happened to me but found out today it still is like that.


----------



## KuJoe (Dec 8, 2014)

Unfortunately the allowed characters are limited by the API's ability. This is why I highly recommend the following 2 options:

For Providers: Don't let client's pick their own password on sign-up, it will break the API and the VPS (i.e. no IP address assigned) if the client uses a complex password with special characters. LINK

For Clients: Don't set a complex password, pick something basic that you don't care about because if you're using SolusVM then whatever password you tell SolusVM is saved in clear text and anybody with access to the database can retrieve it (and in most cases this is e-mailed to you in clear text also which is saved unencrypted by the provider).

Never change you password in SolusVM either, always change your password inside your VPS with the passwd command or else it will save the password in the database also.

I should point out that these recommendations are not just for SolusVM, it's just that SolusVM is the most widely used and the topic of this thread.


----------



## Francisco (Dec 8, 2014)

KuJoe said:


> Unfortunately the allowed characters are limited by the API's ability.


Incorrect my good sir.

The problem is that on the SolusVM panel side, they actually pass the users root password to CLI via something like



> php /usr/local/solusvm/system/comm.php --comm=rootpassword --password=UNESCAPED_STRING


the comm.php file takes into consideration if the VPS is hosted locally (master + users OpenVZ) or remotely. From there it either calls a SETUID root binary with said unescaped string, or sends it off to the node in question...where said node runs the same SETUID binary w/ the unescaped string.

It's possible they've added a 'patch' to stop it, but for the *longest* time, the reason SolusVM would brick itself provisioning a VPS if you gave it a 'secure password' was because it was actually causing bash to act up.

Say hello to one of the many SolusVM breakout exploits.

Francisco


----------



## KuJoe (Dec 8, 2014)

@Francisco thanks for the correction, I knew the problem was within the communication between SolusVM and the host node I just didn't know where.


----------



## Francisco (Dec 8, 2014)

KuJoe said:


> @Francisco thanks for the correction, I knew the problem was within the communication between SolusVM and the host node I just didn't know where.


Do you need a hard drink now?



Francisco


----------



## dcdan (Dec 9, 2014)

@Francisco Wait, you cannot be serious. So what happens if I order a VPS somewhere and set a "; rm -rf /" as a password?


----------



## KuJoe (Dec 9, 2014)

@Francisco I haven't needed a hard drink since I stopped shelling out hundreds of dollars a month for a sub-par control panel.


----------



## Francisco (Dec 9, 2014)

dcdan said:


> @Francisco Wait, you cannot be serious. So what happens if I order a VPS somewhere and set a "; rm -rf /" as a password?


It was possible for a good while.

The wide spread exploit that was sued was them passing $_GET['id'] or something like that right to a SETUID binary on the master.

Francisco


----------

