On suggestion from the security team, I'm providing this patch to warn administrators about the Administer Users permission.

This permission allows a user to edit user/1, change its password and therefore log in as user/1. More details here:
http://open.emspace.com.au/article/administer-users-sledgehammer-permission

For those who consider this a loophole, please review:
http://drupal.org/node/39636

CommentFileSizeAuthor
#1 admin_users_warning.patch849 bytessime

Comments

sime’s picture

StatusFileSize
new849 bytes
sime’s picture

Status: Active » Needs review

oops, out of practice - carn bot, come git

wmostrey’s picture

I'm all for this. I do think we should add a link on "security implications" to Untrusted execution of PHP.

David_Rothstein’s picture

Status: Needs review » Reviewed & tested by the community

Simple patch, and makes total sense. This is one of the most dangerous permissions in Drupal (and will be even if the user/1 issue gets in, since it still allows you to hijack other accounts).

We do have #594412: Correctly label all site-owning super-admin permissions open as a critical bug to make sure that Drupal 7 doesn't get released without an audit of all core permissions to make sure we are labeling the correct ones, but there's no reason not to knock this big obvious one off now :)

dries’s picture

Status: Reviewed & tested by the community » Fixed

Committed to CVS HEAD. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.