On Fri, Dec 17, 2010 at 10:19 AM, Marc Poris marc@funnymonkey.com wrote:
The idea that "uid1 = unsafe" is a security myth that needs to die. There are other more likely avenues of attack such as incorrectly configured input formats.
There are plenty of contrib modules that check for uid == 1 and dole out additional privileges, so while Drupal core may only check for uid == 1 in user_access() and user_register_submit(), your site is only as secure as your weakest contrib module.
Sure, and I've even used that fact to set the 'access arguments' on a menu item to be <? array("something that doesn't exist"), ?> so that only UID 1 can access that callback, however:
1. In a quick review it seems all the examples you showed could also be accessed with the right roles/permissions and my argument was that someone with "administer users" and "administer permissions" can already grant whatever things they need to get access to that feature.
2. Someone with those permissions can easily escalate themselves to become uid1 by enabling some module that executes PHP and then creating a snippet like <?php global $user; $user = user_load(1); ?>
Aside from Bill's followup about splitting administration roles (totally agree there, great point) but my claim is:
From a security perspective, there is no difference between UID 1 and
someone who has a role "administer users" and/or "administer permissions."
Cheers, Greg