On 12/17/10 8:10 AM, Greg Knaddison wrote:
I think it's not so obvious and not really useful. If the "superuser role" has the permission to "administer users" or "administer permissions" then any user in that role has the exact same permissions as UID1. The only difference is, as you state running update.php (in D7 that distinction is gone - anyone with the right permission can run update.php).
We always try to create targeted admin roles for specific tasks, so you can split rights like administer nodes (for high-level editors) from administer views/blocks/content types (for site admins) from administer users. This way, different types of admin users can be assembled from these various roles, and matched to professional responsibilities and individual skill sets.
The idea that "uid1 = unsafe" is a security myth that needs to die.
uid1 will be as safe or as unsafe as the person using it - and by "person" I generally mean the actual human hitting the keyboard, the computer that keyboard is attached to, and the network they are on. I'd much rather incrementally decrease risk through targeted roles - although, as you say, if a user gets "administer users" rights then all bets are off.
Another use we have found for discouraging the use of uid1 is less technical and more training-related - it's a way to start the discussion with less technical users about security concerns.
There are other more likely avenues of attack such as incorrectly configured input formats.
Absolutely.
For those interested, you can test your input formats against security best practices by trying outhttp://drupal.org/project/security_review
That is a sweet module that I didn't know existed. Thanks for sharing that.
Cheers,
Bill