The administrative account (uid 1) is commonly targeted by attackers because this account has superuser privileges which cannot be blocked or limited. Attacks that do things like change the administrator password, or even brute force or social engineering attacks could compromise the administrator password. Because the administrative account has such wide privileges it is a good idea to create a role for administrators and explicitly create these less privileged accounts. The administrative account can be unblocked by users with the "administer users" permission if you need to use the account at a later time. This model follows the general Unix one of not running as root.

CommentFileSizeAuthor
#5 1244226-5.patch3.28 KBsmustgrave
#1 1244226-security-review-uid1.patch2.64 KBJustin_KleinKeane

Issue fork security_review-1244226

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Justin_KleinKeane’s picture

Justin_KleinKeane CreditAttribution: Justin_KleinKeane commented
FileSize
1244226-security-review-uid1.patch2.64 KB

Attaching a patch that adds functionality to test if the UID 1 account is blocked for 6.x-1.x-dev

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles commented
Status: Active » Needs review

This is an interesting idea. In general I'm opposed to special protections for uid 1 because really it's no more powerful than any other account that has "administer users" permission.

From a practical perspective, though, you make a good point that people are likely to try to attack that account more and therefore having extra protections for it is valuable.

Maybe we need different priorities? I feel like this is a lower priority recommendation after someone has done other fixes.

(Also, better status).

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented
Issue summary: View changes
Status: Needs review » Closed (outdated)

As Drupal6 has been EOL https://www.drupal.org/about/drupal6-eol closing as outdated

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles at Morris Animal Foundation commented
Version: 6.x-1.x-dev » 8.x-1.x-dev
Status: Closed (outdated) » Needs review

This one feels still relevant to me, at least until #540008: Add a container parameter that can remove the special behavior of UID#1 is done.

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented
Version: 8.x-1.x-dev » 2.0.x-dev
FileSize
1244226-5.patch3.28 KB

Rerolled for 2.0.x

ednark made their first commit to this issue’s fork.

smustgrave opened merge request !29

  • smustgrave committed 0dd47424 on 2.0.x 
    Issue #1244226: Check that uid 1 account is blocked
smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented
Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.