using UID 1 (was Re: Overriding node_db_rewrite_sql())
On 7/26/07, Ken Rickard <agentrickard@gmail.com> wrote:
Development testing should never be done as user #1 unless testing installation or update routines. In fact, nothing but install and update should be done as user #1.
I see your point here about how it has been confusing to Ron that uid1 could see everything, but I'm not sure I follow the rest of the logic. To me, I don't see a problem with using uid1. I know lots of folks feel strongly about this, but there's also a prominent case[1] or two[2] of smart people doing otherwise. There is even the whole masquerade code in the devel module which makes it easy to switch between uid1 and a normal user during development to facilitate Ron's exact situation. Just yesterday I edited bullet item 1 on 22284 to include all of the arguments on this issue that I was able to glean from the folks that were in IRC when I was digging into the issue. Given that investigation and rewrite, I don't understand the strength of the "don't use uid 1" argument. So, if folks feel strongly one way or another could they please edit that page (or respond here) with some of the reasons why you should "never use user #1". If you're going to say "for the same reasons as you never use root on unix" then please take the time to enumerate those reasons - I'm not sure I believe that comparison so having the list of reasons would help the discussion. Regards, Greg [1] http://drupal.org/user/1 [2] http://groups.drupal.org/user/1 -- Greg Knaddison Denver, CO | http://knaddison.com World Spanish Tour | http://wanderlusting.org/user/greg
On 7/26/07, Greg Knaddison - GVS <Greg@growingventuresolutions.com> wrote:
On 7/26/07, Ken Rickard <agentrickard@gmail.com> wrote:
Development testing should never be done as user #1 unless testing installation or update routines. In fact, nothing but install and update should be done as user #1.
I see your point here about how it has been confusing to Ron that uid1 could see everything, but I'm not sure I follow the rest of the logic. To me, I don't see a problem with using uid1. I know lots of folks feel strongly about this, but there's also a prominent case[1] or two[2] of smart people doing otherwise. There is even the whole masquerade code in the devel module which makes it easy to switch between uid1 and a normal user during development to facilitate Ron's exact situation.
Just yesterday I edited bullet item 1 on 22284 to include all of the arguments on this issue that I was able to glean from the folks that were in IRC when I was digging into the issue. Given that investigation and rewrite, I don't understand the strength of the "don't use uid 1" argument.
So, if folks feel strongly one way or another could they please edit that page (or respond here) with some of the reasons why you should "never use user #1".
Ok, I added a 4th reason: "On a community site, if the top administrator is using account #1 for all things, including personal content in blogs, forums, etc, and later administration passes to someone else, the previous administrator's content will be in account #1 and will have to be moved, which is not a very trivial task."
If you're going to say "for the same reasons as you never use root on unix" then please take the time to enumerate those reasons - I'm not sure I believe that comparison so having the list of reasons would help the discussion.
Regards, Greg
[1] http://drupal.org/user/1 [2] http://groups.drupal.org/user/1
-- Greg Knaddison Denver, CO | http://knaddison.com World Spanish Tour | http://wanderlusting.org/user/greg
Two Administrators On 26/07/07, Cog Rusty <cog.rusty@gmail.com> wrote:
On 7/26/07, Greg Knaddison - GVS <Greg@growingventuresolutions.com> wrote:
On 7/26/07, Ken Rickard <agentrickard@gmail.com> wrote:
Development testing should never be done as user #1 unless testing installation or update routines. In fact, nothing but install and update should be done as user #1.
I see your point here about how it has been confusing to Ron that uid1 could see everything, but I'm not sure I follow the rest of the logic. To me, I don't see a problem with using uid1. I know lots of folks feel strongly about this, but there's also a prominent case[1] or two[2] of smart people doing otherwise. There is even the whole masquerade code in the devel module which makes it easy to switch between uid1 and a normal user during development to facilitate Ron's exact situation.
Just yesterday I edited bullet item 1 on 22284 to include all of the arguments on this issue that I was able to glean from the folks that were in IRC when I was digging into the issue. Given that investigation and rewrite, I don't understand the strength of the "don't use uid 1" argument.
So, if folks feel strongly one way or another could they please edit that page (or respond here) with some of the reasons why you should "never use user #1".
Ok, I added a 4th reason: "On a community site, if the top administrator is using account #1 for all things, including personal content in blogs, forums, etc, and later administration passes to someone else, the previous administrator's content will be in account #1 and will have to be moved, which is not a very trivial task."
If you're going to say "for the same reasons as you never use root on unix" then please take the time to enumerate those reasons - I'm not sure I believe that comparison so having the list of reasons would help the discussion.
Regards, Greg
[1] http://drupal.org/user/1 [2] http://groups.drupal.org/user/1
-- Greg Knaddison Denver, CO | http://knaddison.com World Spanish Tour | http://wanderlusting.org/user/greg
-- Regards Steven Jones
Greg, I don't have edit permissions, so here are some thoughts. In this particular case, the argument is: User 1 does not behave like other users, so testing module functionality as user 1 is generally a bad idea, since you won't get to see the actual role-restricted behavior of your module. This is especially true of node access modules. In general, two additional points: * In our uses, we always have multiple administrators. So we treat user 1 like Unix root or sudo. Not everyone should act under sudo at all times, and we never login as 'root'. You need to be able to trace who did what. (However, that said, user 1 does leave a record, so perhaps the analogy doesn't quite hold up.) * Our corporate security policy is violated by user 1 because user 1 violates the rule of least privilege. Moreover, since we have multiple sysadmins who install Drupal sites, our user 1 tends to be a role account, which is a violation of our security policy (one person to an account). Now this second point isn't relevant to the entire Drupal community, obviously, but it also makes a case for replacing the special user 1 entirely with a default 'administrative user' role that is assigned to user 1 and can then be assigned to other users. So, in practice, we always create the site. Create a new 'administrator' role. Give that role all privileges. Create a new user as an administrator. Then logout as user 1 and never use that account again. To run update.php, we just set the access check to FALSE. It may also be that our security policies are bad, but that's beyond my control. - Ken Rickard agentrickard On 7/26/07, Steven Jones <darthsteven@gmail.com> wrote:
Two Administrators
On 26/07/07, Cog Rusty <cog.rusty@gmail.com> wrote:
On 7/26/07, Greg Knaddison - GVS <Greg@growingventuresolutions.com> wrote:
On 7/26/07, Ken Rickard <agentrickard@gmail.com> wrote:
Development testing should never be done as user #1 unless testing installation or update routines. In fact, nothing but install and update should be done as user #1.
I see your point here about how it has been confusing to Ron that uid1 could see everything, but I'm not sure I follow the rest of the logic. To me, I don't see a problem with using uid1. I know lots of folks feel strongly about this, but there's also a prominent case[1] or two[2] of smart people doing otherwise. There is even the whole masquerade code in the devel module which makes it easy to switch between uid1 and a normal user during development to facilitate Ron's exact situation.
Just yesterday I edited bullet item 1 on 22284 to include all of the arguments on this issue that I was able to glean from the folks that were in IRC when I was digging into the issue. Given that investigation and rewrite, I don't understand the strength of the "don't use uid 1" argument.
So, if folks feel strongly one way or another could they please edit that page (or respond here) with some of the reasons why you should "never use user #1".
Ok, I added a 4th reason: "On a community site, if the top administrator is using account #1 for all things, including personal content in blogs, forums, etc, and later administration passes to someone else, the previous administrator's content will be in account #1 and will have to be moved, which is not a very trivial task."
If you're going to say "for the same reasons as you never use root on unix" then please take the time to enumerate those reasons - I'm not sure I believe that comparison so having the list of reasons would help the discussion.
Regards, Greg
[1] http://drupal.org/user/1 [2] http://groups.drupal.org/user/1
-- Greg Knaddison Denver, CO | http://knaddison.com World Spanish Tour | http://wanderlusting.org/user/greg
-- Regards Steven Jones
On 7/26/07, Ken Rickard <agentrickard@gmail.com> wrote:
Now this second point isn't relevant to the entire Drupal community, obviously, but it also makes a case for replacing the special user 1 entirely with a default 'administrative user' role that is assigned to user 1 and can then be assigned to other users.
I think creating an admin role, giving it all permissions (programmatically, not via teh checkboxes), then assigning user 1 to that role is the way to go for core Drupal. It allows users to be granted/revoked admin privileges dynamically.
However, it also allows novice admins to lock themselves out of permissions like "administer access control"... -Peter On 7/26/07, Khalid Baheyeldin <kb@2bits.com> wrote:
On 7/26/07, Ken Rickard <agentrickard@gmail.com> wrote:
Now this second point isn't relevant to the entire Drupal community, obviously, but it also makes a case for replacing the special user 1 entirely with a default 'administrative user' role that is assigned to user 1 and can then be assigned to other users.
I think creating an admin role, giving it all permissions (programmatically, not via teh checkboxes), then assigning user 1 to that role is the way to go for core Drupal.
It allows users to be granted/revoked admin privileges dynamically.
Quoting Peter Wolanin <pwolanin@gmail.com>:
However, it also allows novice admins to lock themselves out of permissions like "administer access control"...
We can do that with the current implementation. ;)
-Peter
On 7/26/07, Khalid Baheyeldin <kb@2bits.com> wrote:
On 7/26/07, Ken Rickard <agentrickard@gmail.com> wrote:
Now this second point isn't relevant to the entire Drupal community, obviously, but it also makes a case for replacing the special user 1 entirely with a default 'administrative user' role that is assigned to user 1 and can then be assigned to other users.
I think creating an admin role, giving it all permissions (programmatically, not via teh checkboxes), then assigning user 1 to that role is the way to go for core Drupal.
It allows users to be granted/revoked admin privileges dynamically.
While I advocate the idea of a predefined admin role that can be deactivated; I do not advocate removing the special privilege of user id 1. Given the case that it might be possible for someone to modify the database and give themselves admin role by simple update this could open a can of security issues you do not want. I had created an admin role at one sight where the DB is mostly open (i.e. admin priv is insecure) and this actually happened once. I quickly deleted the role once I discovered what had happened. Earnie
On Thursday 26 July 2007, Greg Knaddison - GVS wrote:
So, if folks feel strongly one way or another could they please edit that page (or respond here) with some of the reasons why you should "never use user #1".
If you're going to say "for the same reasons as you never use root on unix" then please take the time to enumerate those reasons - I'm not sure I believe that comparison so having the list of reasons would help the discussion.
Regards, Greg
[1] http://drupal.org/user/1 [2] http://groups.drupal.org/user/1
- Log into your Drupal site. - Visit http://evilbadsite.com/ - Run Javascript on evilbadsite.com automatically. - Watch your Drupal session be hijacked. Would you rather have uid 1's session hijacked, or your normal user account hijacked? -- Larry Garfield AIM: LOLG42 larry@garfieldtech.com ICQ: 6817012 "If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea, which an individual may exclusively possess as long as he keeps it to himself; but the moment it is divulged, it forces itself into the possession of every one, and the receiver cannot dispossess himself of it." -- Thomas Jefferson
participants (8)
-
Cog Rusty -
Earnie Boyd -
Greg Knaddison - GVS -
Ken Rickard -
Khalid Baheyeldin -
Larry Garfield -
Peter Wolanin -
Steven Jones