2.0.2: When installing, you can wander around with no accounts

[NanoSector]

Hi!

So, someone was installing SMF today, and I decided to check if he was done yet.

I opened up the forum...
Latest member: (empty)

That means people are able to wander around, register and get an user with ID 1, possibly!

Perhaps force the maintenance mode, when installing?

[Arantor]

The odds are if you hit upon a forum during install where you're at the stage where it's usable but no admin user yet created, the admin will probably have created their account in the time it takes you to register.

I don't think it's a good idea to go through maintenance during install, it's only yet more things that will cause problems when the files aren't writable by users immediately after installing (and thus won't be able to get it out of maintenance mode)

[NanoSector]

The odds are if you hit upon a forum during install where you're at the stage where it's usable but no admin user yet created, the admin will probably have created their account in the time it takes you to register.

Yes, but it is a risk when you know someone is reinstalling SMF.

I don't think it's a good idea to go through maintenance during install, it's only yet more things that will cause problems when the files aren't writable by users immediately after installing (and thus won't be able to get it out of maintenance mode)

Maybe, but if you can write the database settings to Settings.php you can also write the maintenance setting, right?

[Arantor]

Yes, but there's a couple of operations since then and IIRC the installer actually tries to protect Settings.php again after changing the settings to make it safe (and it may not be able to change it back after)

It's not a 'risk' per se, there are no security implications, it's just a minor possible inconvenience and nothing more than that. I'm not even sure I'd class it as a bug (and I certainly have no plans to fix it in my own stuff)

[NanoSector]

Yes, but there's a couple of operations since then and IIRC the installer actually tries to protect Settings.php again after changing the settings to make it safe (and it may not be able to change it back after)

It's not a 'risk' per se, there are no security implications, it's just a minor possible inconvenience and nothing more than that. I'm not even sure I'd class it as a bug (and I certainly have no plans to fix it in my own stuff)

Well, I would call it a risk, since the database doesn't have an user with id 1 and the next user will get ID 1.

[Arantor]

How, exactly, is that a risk? There are no security concerns about user id 1, there are no account escalation risks. All it means is you have people think there's something special about user id 1, but there really, really isn't.

[NanoSector]

How, exactly, is that a risk? There are no security concerns about user id 1, there are no account escalation risks. All it means is you have people think there's something special about user id 1, but there really, really isn't.

Didn't user ID 1 get all permissions?

AFAICR that's the case. Might have changed/not been the case at all.
If it isn't, just ignore me with this report

[Arantor]

No, user 1 does not get any permissions special to that account. When the admin account is created, it is given group 1 as part of that creation, which is what makes it an administrative account, not that it's account 1. In fact, account 1 always being an administrator is a risk in itself if for example an admin steps down you wouldn't be able to de-admin him without modifying his account at the DB level.

[NanoSector]

No, user 1 does not get any permissions special to that account. When the admin account is created, it is given group 1 as part of that creation, which is what makes it an administrative account, not that it's account 1. In fact, account 1 always being an administrator is a risk in itself if for example an admin steps down you wouldn't be able to de-admin him without modifying his account at the DB level.

Yeah, I'm always confusing these two it seems

Nevermind this report, then.