Project:Drupal core
Version:7.x-dev
Component:user system
Category:bug report
Priority:critical
Assigned:Unassigned
Status:closed (fixed)

Issue Summary

On suggestion from the security team, I'm providing this patch to warn administrators about the Administer Users permission.

This permission allows a user to edit user/1, change its password and therefore log in as user/1. More details here:
http://open.emspace.com.au/article/administer-users-sledgehammer-permission

For those who consider this a loophole, please review:
http://drupal.org/node/39636

Comments

#1

AttachmentSizeStatusTest resultOperations
admin_users_warning.patch849 bytesIdlePassed: 14473 passes, 0 fails, 0 exceptionsView details

#2

Status:active» needs review

oops, out of practice - carn bot, come git

#3

I'm all for this. I do think we should add a link on "security implications" to Untrusted execution of PHP.

#5

Status:needs review» reviewed & tested by the community

Simple patch, and makes total sense. This is one of the most dangerous permissions in Drupal (and will be even if the user/1 issue gets in, since it still allows you to hijack other accounts).

We do have #594412: Correctly label all site-owning super-admin permissions open as a critical bug to make sure that Drupal 7 doesn't get released without an audit of all core permissions to make sure we are labeling the correct ones, but there's no reason not to knock this big obvious one off now :)

#6

Status:reviewed & tested by the community» fixed

Committed to CVS HEAD. Thanks!

#7

Status:fixed» closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

nobody click here