[support] UID1 compared to targeted admin roles - WAS Re: Very Strange Security Breach
Bill Fitzgerald
bill at funnymonkey.com
Fri Dec 17 17:21:50 UTC 2010
On 12/17/10 8:10 AM, Greg Knaddison wrote:
> I think it's not so obvious and not really useful. If the "superuser
> role" has the permission to "administer users" or "administer
> permissions" then any user in that role has the exact same permissions
> as UID1. The only difference is, as you state running update.php (in
> D7 that distinction is gone - anyone with the right permission can run
> update.php).
We always try to create targeted admin roles for specific tasks, so you
can split rights like administer nodes (for high-level editors) from
administer views/blocks/content types (for site admins) from administer
users. This way, different types of admin users can be assembled from
these various roles, and matched to professional responsibilities and
individual skill sets.
> The idea that "uid1 = unsafe" is a security myth that needs to die.
uid1 will be as safe or as unsafe as the person using it - and by
"person" I generally mean the actual human hitting the keyboard, the
computer that keyboard is attached to, and the network they are on. I'd
much rather incrementally decrease risk through targeted roles -
although, as you say, if a user gets "administer users" rights then all
bets are off.
Another use we have found for discouraging the use of uid1 is less
technical and more training-related - it's a way to start the discussion
with less technical users about security concerns.
> There are other more likely avenues of attack such as incorrectly
> configured input formats.
Absolutely.
> For those interested, you can test your input formats against security
> best practices by trying outhttp://drupal.org/project/security_review
That is a sweet module that I didn't know existed. Thanks for sharing that.
Cheers,
Bill
More information about the support
mailing list