Home

The Importance of User Roles and Permissions for Site Security

in

Rethink your roles

When discussing site security we often use words like "attacker", "malicious user" or "untrusted" to define site visitors who may be intent on abusing resources, stealing, or altering data. Within Drupal, visitors can achieve these goals using the permissions granted to their roles. This is the key component. We have to think of visitors in terms of what roles they have and what permissions we've granted those roles. Then instead of just thinking about trusted vs. untrusted users, we are thinking about trusted vs. untrusted roles.

On your site, which roles are trusted and which are untrusted? What permissions have you given to those roles? What permissions have you granted to the Anonymous role and thus to anonymous visitors? As you build and add features to your site you are also widening the available points for attack. If you have allowed users to create accounts without administrator approval you should also consider what permissions you've granted the Authenticated role. Can authenticated users create content or post comments without approval?

Know the defaults

Community contributed modules as a whole are more insecure than Drupal core so it's especially important to be cautious about administrator permissions created by contributed modules. Role management can be burdensome so there are modules that grant roles to users upon account creation. Know the defaults, because most Security Advisories for contributed modules are because of cross-site scripting vulnerabilities and often exist on module administration screens where user-supplied data is not properly filtered. Whenever possible, utilize the principle of least privilege and give roles only the permissions they absolutely need. Grant those roles appropriately based on trust and what features need to be exposed for use.

"Super-permissions"

A few Drupal permissions should never be added to untrusted roles, as they allow or open up full control of your site. These permissions are:

  • Administer filters
  • Administer users
  • Administer permissions
  • Administer content types
  • Administer site configuration

To help keep your site secure, rethink which roles are trusted and untrusted, then evaluate what roles are granted to which users.

Comments

Super-Permissions

Submitted by John Fiala (not verified) on Tue, 11/10/2009 - 15:47.

Seems to me, that starting with drupal 7 it would have been interesting to restrict the super-user permissions from ever being given to roles 1 & 2 - since we automatically create an admin role in 7, there's really no reason for those permissions to ever go to anonymous or authorized users.

Well, someone could open a

Submitted by Anonymous (not verified) on Tue, 11/10/2009 - 18:45.

Well, someone could open a site to administration by everyone as an experiment.

Need to restrict the permissions

Submitted by Gloscon (not verified) on Tue, 11/10/2009 - 20:17.

yes, I think we certainly need to take away any permissions from Anonymous and Authorized Roles and they can't get any permissions even when superadmin wants to give it to them. For this superadmin have to explicitly create a role and give enhanced permissions.

I hope future Drupal release will have this restriction so that even accidently site security is not compromised.

A few Drupal permissions

Submitted by dalin (not verified) on Wed, 11/11/2009 - 23:25.

A few Drupal permissions should never be added to untrusted roles, as they allow or open up full control of your site. These permissions are:

And anything with the word "PHP" in it including "use PHP for block visibility".

Right now I need to be able

Submitted by Dave Keays (not verified) on Fri, 11/13/2009 - 03:03.

Right now I need to be able to set a role that can alter a users role without having access to permissions.

Does anybody have an idea how to go about that one?

Permission to change users gives you no access to roles as you have when you first enter the user.

Permission to change permissions give you access to all permissions.

I want to give my clients permission to change a users role, but I retain the right to alter the permissions for each role.

I'm using Drupal6.

Role Delegation

Submitted by Alpes Informatique (not verified) on Tue, 03/02/2010 - 12:04.

Hi
I had the same issue and came across your post while looking for a solution. I finally found it in the Role Delegation module.

I hope that this helps you out
http://drupal.org/project/role_delegation

Cheers

Phil

There are so many

Submitted by Fiona (not verified) on Thu, 08/26/2010 - 07:26.

There are so many unauthorized users who constantly try to invade others' privacy. It really gets frustrating and I don't understand what satisfaction do they get from performing in such a manner.
offsite data backup

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You can use Markdown syntax to format and style the text. Also see Markdown Extra for tables, footnotes, and more.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <h3> <blockquote> <br>
  • Lines and paragraphs break automatically.

More information about formatting options