The administrative account (uid 1) is commonly targeted by attackers because this account has superuser privileges which cannot be blocked or limited. Attacks that do things like change the administrator password, or even brute force or social engineering attacks could compromise the administrator password. Because the administrative account has such wide privileges it is a good idea to create a role for administrators and explicitly create these less privileged accounts. The administrative account can be unblocked by users with the "administer users" permission if you need to use the account at a later time. This model follows the general Unix one of not running as root.
Comment | File | Size | Author |
---|---|---|---|
#5 | 1244226-5.patch | 3.28 KB | smustgrave |
#1 | 1244226-security-review-uid1.patch | 2.64 KB | Justin_KleinKeane |
Issue fork security_review-1244226
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #1
Justin_KleinKeane CreditAttribution: Justin_KleinKeane commentedAttaching a patch that adds functionality to test if the UID 1 account is blocked for 6.x-1.x-dev
Comment #2
gregglesThis is an interesting idea. In general I'm opposed to special protections for uid 1 because really it's no more powerful than any other account that has "administer users" permission.
From a practical perspective, though, you make a good point that people are likely to try to attack that account more and therefore having extra protections for it is valuable.
Maybe we need different priorities? I feel like this is a lower priority recommendation after someone has done other fixes.
(Also, better status).
Comment #3
smustgrave CreditAttribution: smustgrave at Mobomo commentedAs Drupal6 has been EOL https://www.drupal.org/about/drupal6-eol closing as outdated
Comment #4
gregglesThis one feels still relevant to me, at least until #540008: Add a container parameter that can remove the special behavior of UID#1 is done.
Comment #5
smustgrave CreditAttribution: smustgrave at Mobomo commentedRerolled for 2.0.x
Comment #9
smustgrave CreditAttribution: smustgrave at Mobomo commented