? paranoi_edit_user1.patch
Index: paranoia.module
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/paranoia/paranoia.module,v
retrieving revision 1.7
diff -u -p -r1.7 paranoia.module
--- paranoia.module	13 Jan 2009 21:07:43 -0000	1.7
+++ paranoia.module	26 Oct 2009 06:44:31 -0000
@@ -5,6 +5,7 @@
  * - Disables PHP block visibility permission and gives status error if a role has this permission.
  * - Disables the PHP module.
  * - Hides the PHP and paranoia modules from the modules page.
+ * - Prevents user/1 editing which could give access to abitrary contrib module php execution.
  */
 
 
@@ -30,6 +31,19 @@ function paranoia_form_alter(&$form, $fo
         _paranoia_hide_module($form, $module);
       }
       break;
+
+    case 'user_profile_form': // Prevent modifying user/1
+      if ($form['#uid'] === '1') {
+        global $user;
+        // Allow user/1 to edit own details.
+        if ($user->uid != 1) {
+          drupal_set_message('You must login as this user (user/1) to modify the email address and password for this account.');
+          $form['account']['mail']['#access'] = FALSE;
+          $form['account']['pass']['#access'] = FALSE;
+        }
+      }
+      break;
+
   }
 }