[support] UID1 compared to targeted admin roles - WAS Re: Very Strange Security Breach

[Bill Fitzgerald]

On 12/17/10 8:10 AM, Greg Knaddison wrote:
> I think it's not so obvious and not really useful. If the "superuser
> role" has the permission to "administer users" or "administer
> permissions" then any user in that role has the exact same permissions
> as UID1. The only difference is, as you state running update.php (in
> D7 that distinction is gone - anyone with the right permission can run
> update.php).

We always try to create targeted admin roles for specific tasks, so you 
can split rights like administer nodes (for high-level editors) from 
administer views/blocks/content types (for site admins) from administer 
users. This way, different types of admin users can be assembled from 
these various roles, and matched to professional responsibilities and 
individual skill sets.

> The idea that "uid1 = unsafe" is a security myth that needs to die.

uid1 will be as safe or as unsafe as the person using it - and by 
"person" I generally mean the actual human hitting the keyboard, the 
computer that keyboard is attached to, and the network they are on. I'd 
much rather incrementally decrease risk through targeted roles - 
although, as you say, if a user gets "administer users" rights then all 
bets are off.

Another use we have found for discouraging the use of uid1 is less 
technical and more training-related - it's a way to start the discussion 
with less technical users about security concerns.

> There are other more likely avenues of attack such as incorrectly
> configured input formats.

Absolutely.

> For those interested, you can test your input formats against security
> best practices by trying outhttp://drupal.org/project/security_review

That is a sweet module that I didn't know existed. Thanks for sharing that.

Cheers,

Bill