Posted by sime on October 28, 2009 at 5:49am
| Project: | Drupal core |
| Version: | 7.x-dev |
| Component: | user system |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
On suggestion from the security team, I'm providing this patch to warn administrators about the Administer Users permission.
This permission allows a user to edit user/1, change its password and therefore log in as user/1. More details here:
http://open.emspace.com.au/article/administer-users-sledgehammer-permission
For those who consider this a loophole, please review:
http://drupal.org/node/39636
Comments
#1
#2
oops, out of practice - carn bot, come git
#3
I'm all for this. I do think we should add a link on "security implications" to Untrusted execution of PHP.
#4
See also #248598: Label permissions which are warned about in the user interface and #594412: Correctly label all site-owning super-admin permissions
#5
Simple patch, and makes total sense. This is one of the most dangerous permissions in Drupal (and will be even if the user/1 issue gets in, since it still allows you to hijack other accounts).
We do have #594412: Correctly label all site-owning super-admin permissions open as a critical bug to make sure that Drupal 7 doesn't get released without an audit of all core permissions to make sure we are labeling the correct ones, but there's no reason not to knock this big obvious one off now :)
#6
Committed to CVS HEAD. Thanks!
#7
Automatically closed -- issue fixed for 2 weeks with no activity.