tags:

views:

93

answers:

4
+4  Q: 

Drupal advanced ACLs for "untrusted" administrators

I have a multi-site Drupal-6 installation containing websites of different customers.

On each site, there is an "administrator" role that includes mainly the customer's account. We want to give as many permissions as possible to this privileged user, but this could bring to security leaks using just the Drupal Core permissions management system.

The main thing to avoid is the customer account being able to run PHP code on the server (that would be like being logged on the server as the www-data user.. sounds really bad).

To avoid that, it is not sufficient to deny PHP code evaluation for the role. Since the administrator role must have permissions to manage users, he could also change the password of the user #1 and login in the site as superadmin.

The second goal would be to deny also some "confusing" administrative pages (such as module selection) but not others (such as site informations configuration, or theme selection, etc.)

I found the User One module that seems to fix the first problem, but I have no idea on how to solve the second one. I found some modules around, but no-one seems to fit.. it seems like the most ACLs are thought to protect the content, and not the site itself, as if the site administrator would always be the server owner itself..

+1  A: 

I feel your pain - quite a lot of the administrative functionality is insufficiently granular concerning access control options, and while there are many modules that address one or more specific shortcomings, I have not yet found the general module for this.

That said, and given your multi-site setup, you might want to take a closer look at the Domain Access module and its multiple 'offspring'. While mainly aimed at running a set of affiliate sites on different domains that share some content while keeping other content domain specific, it also contains many tweaks to assist in organizing and administrating such a setup. So it could offer some of the features you're looking for. But be warned - the module is quite a beast in complexity and I'd only recommend using it if it fits your setup in general, not to gain just one or two ACL features.

Henrik Opel  2010-04-01 09:59:28
A: 

Remove administer users from the role so they can't change passwords. Encourage users to do password resets.

As for assigning user roles, you can use the Role Delegation module, and for node publishing, the Override Node Options module.

http://drupal.org/project/role_delegation

http://drupal.org/project/override_node_options

The second module will let you remove the 'administer nodes' permission, removing a lot of 'overreaching power' from the role.

Kevin  2010-04-01 12:58:33
I am using the role_delegation module, and so the admin doesn't have the 'administer permissions' permission. But he needs the 'administer users' one to create/delete users. I fixed the user #1 password change issue with the user_one module, now I'm looking for a way to partialize permissions on the administration of the *site* itself, not just the content.. (ie. admins should have the power of administer all the content, change theme and site info, but not change the modules selection..)
redShadow  2010-04-01 14:24:10
That may be tricky.
Kevin  2010-04-01 14:27:19
A: 

You can delete the php module from the modules directory. As long as you are not using any php pages it can be removed.

Ed Haber  2010-04-05 11:59:32
..of course.. but1. (it's not a very clean method)2. it doesn't solve other security problems..I think the better solution I found ATM is to remove most privileges and write an ad-hoc administration panel with limited permissions / easier-to-use interface..
redShadow  2010-04-05 12:25:19
A: 

I just wrote the PermMill module to fix the too-large permissions issue.

The code is not on the official drupal.org CVS yet, but coming soon..

I hope that this module could be useful to someone else who reaches this question.

[UPDATE] 2010-04-15 19:30 +0200: I just uploaded code to CVS, and the first 6.x-1.x-dev tarball is coming out tomorrow at about 0:00 AM GMT..

redShadow  2010-04-15 17:14:20

related questions

Batch node operations in Drupal 5
How do you make php's json_decode compatible with firefox's javascript?
Drupal CSS URL Problem
Is it possible to deploy an already built Drupal site?
php Access violation
Creating an online catalogue using Drupal, what are the best modules/techniques?
How do I upgrade from Drupal 5 to 6?
How does AOP work in Drupal?
Any quirks I should be aware of in Drupal's XML-RPC and BlogAPI implementations?
What is the simplest way to handle images in Drupal?
How can I change some of Drupal's default menu strings without hacking the core files or using the String Override plugin?
Why is my Drupal site logging out users when a Javascript function is called?
How do I add a "last" class on the last <li> within a Views-generated list?
How do I determine if I should install Drupal 5.x or 6.x?
Missing label on Drupal 5 CCK single on/off checkbox
learning drupal fast track: how to create a stackoverflow clone?
How do you remove the default title and body fields in a CCK generated Drupal content-type?
How do I create a node from a cron job in drupal?
How to quickly theme a view?
Where is the best place to get Drupal & Sugar CRM developers?
How to get rid of Javascript Runtime Errors when running PDT + XDebug in Eclipse?
What makes Drupal better/different from Joomla
Include CSS or Javascript file for specific node in Drupal 6
What version of TinyMCE will work in Drupal 5 with google chrome?
How can I change the way my Drupal theme displays the front page