Default configuration user Administrator role never expried.

Have any security issues is in? or Is it valid to never expire the default user role?

Comments

heni_deepak created an issue. See original summary.

heni_deepak’s picture

heni_deepak commented

while I testing the issue. https://www.drupal.org/project/drupal/issues/987978#comment-14180067
I have changed the Administrator role permission then the default user role has never expried. also when I edit the user and remove all roles but user exist default Administrator role.

cilefen’s picture

cilefen commented
Status: Needs review » Postponed (maintainer needs more info)
Issue tags: -assign administrator role +Needs steps to reproduce

I do not understand this bug report. Please post precise steps to reproduce and I also note that here is not the forum for security issues.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented

If this is related to the not-yet-committed patch in #987978: Move "administrator role" setting to new Role Settings form then please post your question in that issue instead, explaining what you thought should happen and what actually happened.

heni_deepak’s picture

heni_deepak commented

@cilefen & @longwave
OK, let's start from the beginning. The default user that is created at the time of Drupal install and configuration. The default user administrator role never expires. If I changed the role of Administrator.

If I have created another role (like RoleForAdmin) and assigned an administrator role then the default user (which is created by default configuration when installing drupal) role never expires as an administrator role.

cilefen’s picture

cilefen commented

I do not understand the comment or what it would mean for a role to expire.

dww’s picture

dww
we/he/they
commented
Category: Bug report » Support request
Priority: Critical » Normal

Maybe @heni_deepak is confused about the behavior of UID 1?

The default user that is created at the time of Drupal install and configuration.

The UID 1 user always gets full administrative powers on the site, regardless of role settings...

aaronmchale’s picture

aaronmchale
Primary language English
Location Edinburgh, Scotland
commented

#540008: Add a container parameter that can remove the special behavior of UID#1 will remove all special privileges from UID 1, which I think will address the primary security concern here; Although I'm also not entirely clear what is being suggested here.

heni_deepak’s picture

heni_deepak commented

@dww you are right.
@aaronmchale also yes, is that right to UID 1 user always gets full administrative powers on the site?

Is that right to stay always keeps the powers?

and if we don't remove the superpowers for UID 1 the what is the role for the Administrator role.

cilefen’s picture

cilefen commented
Status: Postponed (maintainer needs more info) » Closed (duplicate)
aaronmchale’s picture

aaronmchale
Primary language English
Location Edinburgh, Scotland
commented

@heni_deepak the issue I linked above will change it so that user ID 1 is no longer a special super admin, it will mean that once that issue is committed (hopefully in time for 9.3), if you remove the administrator role from user ID 1, they will no longer have any administrator permissions and act like any other user.

heni_deepak’s picture

heni_deepak commented

:) Thanks.