Admin Security

[kota069]

My search(s) didn't produce anything that address this specifically...

Is it normal on 1.x or 2.x to be able to delete the account of the ROOT Admin?

I've been under the impression that it was impossible to delete the ROOT Admin.

I tested this today on 1.x and 2.x and a member w/ Admin permissions was able to delete the account of the root Admin.

Is this normal and has it always been the case?

[kota069]

My search(s) didn't produce anything that address this specifically...

Is it normal on 1.x or 2.x to be able to delete the account of the ROOT Admin?

I've been under the impression that it was impossible to delete the ROOT Admin.

I tested this today on 1.x and 2.x and a member w/ Admin permissions was able to delete the account of the root Admin.

Is this normal and has it always been the case?

[spearfish]

Yeah.  I'm fairly certain it's always been like this.  Trust me, I've fought the permission battle before... I do believe there should be the concept of a root admin, though I don't see one right now.  Maybe a mod could handle it.

[kota069]

Yeah.  I'm fairly certain it's always been like this.  Trust me, I've fought the permission battle before... I do believe there should be the concept of a root admin, though I don't see one right now.  Maybe a mod could handle it.

Thanks for your reply...

Wow, that's an eye-opener.  I know IPB is Root Admin protected as (I think/thought) most other Boardwares are.  I guess I just assumed SMF was too.  I was quite shocked to find out it's not.

It isn't difficult to get back in using the database but a lot of seemingly un-necessary trouble.

Thanks again.

[spearfish]

Yeah.  I might try to roll out a mod soon to cover this, since I really think it's a big issue.  It probably wouldn't be hard either -- so don't give up on SMF just yet .

[Lady Godiva]

I agree this mod is needed

[spearfish]

I'm working on it right now .  Right now I am testing to see what happens when an administrator gets the privileges of things like posting, or logging in taken away from him.  If he can still do that, then the mod becomes much simpler: You only need to watch out for his account being deleted or stripped of administrative powers.

Update:

Code Select Expand


$user_info['is_guest'] = false;
$user_settings['additional_groups'] = explode(',', $user_settings['additional_groups']);
$user_info['is_admin'] = $user_settings['id_group'] == 1 || in_array(1, $user_settings['additional_groups']);

// Are you banned?
is_not_banned(true);

i.e., Admin's are immune to all bannings - email, IP, etc., as long as they can log in.  Excellent.

[kota069]

...when an administrator gets the privileges of things like posting, or logging in taken away from him.  If he can still do that, then the mod becomes much simpler: You only need to watch out for his account being deleted or stripped of administrative powers.

... i.e., Admin's are immune to all bannings - email, IP, etc., as long as they can log in.  Excellent.

I'm not following you here...

I'm referring to mem_id 1: the Admin 'account' that's set up at install. -

... not being able to delete (or alter) that account.  Not even himself - that is without file edits.

Am I making sense?

[Tyrsson]

There is already  mod that covers this called Superadmin in the mod site.

[spearfish]

Oh hey.

Then use that .  Good catch Tyrsson.

[Tyrsson]

No problem

I used the mod on a site I was admin on for awhile and it works very well as long as its installed correctly

[Tyrsson]

Please do not post double topics on the same support issue. Since both post are on the same issue I have merged your topics.