Adminrole security hole: admins can assign themselves full permissions
pvasili - February 17, 2009 - 22:22
| Project: | Admin Role |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | dww |
| Status: | fixed |
Description
See at: http://www.drupal.ru/node/24003
English:
The module defined as (for example D5.x): user_access('administer site configuration')
as needed user_access('administer permissions')
Now (The user has the right to configure the module to access to administer the site, even if he does not have rights to manage rights.)
#1
6.x is affected too
#2
Yes, definetely a glaring security hole here.
A simple check could be sufficient to close this hole:
- require that a user has the "administer permissions" privilege to be able to change adminrole setting(s).
Example:
If you want to assign some external administrators to do admin work on your drupal site, and then prepare a role and users for them so that they can do most of the admin work, including be members of "administer site configuration", you still do NOT want them to access user accounts, and of course not be able to assign themselves more privileges than they have been given. Therefore they should not be able to administer adminrole so that they can give one of their own roles full permissions... (they can as of now)
This is actually a critical issue with a seemingly easy fix.
Strange it has been untouched here in the issue queue for such a long time...
Very handy module, "cannot live without it", but this bug renders this module unusable on sites that need to give some admins "medium administrator privileges".
#3
"This is actually a critical issue with a seemingly easy fix." Maybe if you submit a patch fixing this, it will get rolled into the module.
#4
Having heard positive things about this module, I decided to take a look today to see if it was suitable for a site I've got to setup. Yeah, this issue is really bad -- basically makes any kind of admin priv separation impossible. It's a little discouraging that it was reported over 1/2 year ago with no reply from either maintainer, much less a fix. The patches are indeed trivial. Attached here for the end of the DRUPAL-6--1 and DRUPAL-5 branches.
#5
We should just use the 'administer users' permission like we do with this functionality in D7. This would be fixed with #615336: Admin Role - Permissions and Sync module with D7-implementation for upgrading ease..
#6
Fixed as a part of #615336: Admin Role - Permissions and Sync module with D7-implementation for upgrading ease.. The fieldset is now on the Admin > Users > User settings page like it is in Drupal 7. That page is also controlled by the 'administer users' permission, so I'm confident this is solved now.