On suggestion from the security team, I'm providing this patch to warn administrators about the Administer Users permission.

This permission allows a user to edit user/1, change its password and therefore log in as user/1. More details here:
http://open.emspace.com.au/article/administer-users-sledgehammer-permission

For those who consider this a loophole, please review:
http://drupal.org/node/39636

CommentFileSizeAuthor
#1 admin_users_warning.patch849 bytessime

Comments

sime’s picture

sime
any/any
Location Melbourne
commented
StatusFileSize
new admin_users_warning.patch849 bytes
sime’s picture

sime
any/any
Location Melbourne
commented
Status: Active » Needs review

oops, out of practice - carn bot, come git

wmostrey’s picture

wmostrey commented

I'm all for this. I do think we should add a link on "security implications" to Untrusted execution of PHP.

catch’s picture

catch
he/him
Primary language English
commented

See also #248598: Label permissions which are warned about in the user interface and #594412: Correctly label all site-owning super-admin permissions

David_Rothstein’s picture

David_Rothstein commented
Status: Needs review » Reviewed & tested by the community

Simple patch, and makes total sense. This is one of the most dangerous permissions in Drupal (and will be even if the user/1 issue gets in, since it still allows you to hijack other accounts).

We do have #594412: Correctly label all site-owning super-admin permissions open as a critical bug to make sure that Drupal 7 doesn't get released without an audit of all core permissions to make sure we are labeling the correct ones, but there's no reason not to knock this big obvious one off now :)

dries’s picture

dries commented
Status: Reviewed & tested by the community » Fixed

Committed to CVS HEAD. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.