[support] use uid1 or not Re: How to create "index" pages of content
Earnie Boyd
earnie at users.sourceforge.net
Mon Dec 10 13:02:33 UTC 2007
Quoting Greg Knaddison <greg at pingvox.com>:
> This is slightly off-topic from the original post so I'm changing the
> subject.
>
> On Dec 9, 2007 6:30 PM, Shai Gluskin <shai at content2zero.com> wrote:
>> Here is the handbook page that describes why not using user/1 for day-to-day
>> is a best practice:
>>
>> http://drupal.org/node/22284
>>
>
> I don't think the conclusion you've drawn is really reflected in the
> meat of the page. That's especially true if you use an account that
> is granted a role that has all permissions on a site - that account is
> just as vulnerable to most of the security problems listed on that
> page.
>
Yes, which is why I asked the question, how is it different? The
answer is of course that it isn't. And worse if you have a DBA that
also has an account the DBA could easily change his role status.
> The only thing that the "user 2 with all privileges" setup gets you is
> a small amount of protection on security holes/actions in the
> update.php file. But if you have a "user 2 with all privileges" then
> that person probably has access to php input format and can do a lot
> of damage to your site (which is worth a reminder: if you don't need
> it then disable the php input format).
>
So my suggestion is to use user/1 for administration and use some other
user for creating content. If you want to give privileges to another
user, pick and choose what you want the user to do in the new role,
don't just blindly give them full privileges.
Earnie -- http://for-my-kids.com/
-- http://give-me-an-offer.com/
More information about the support
mailing list