The Importance of User Roles and Permissions for Site Security

Ben Jeavons — Tue, 10 Nov 2009 19:18:49 +0000

Rethink your roles

When discussing site security we often use words like "attacker", "malicious user" or "untrusted" to define site visitors who may be intent on abusing resources, stealing, or altering data. Within Drupal, visitors can achieve these goals using the permissions granted to their roles. This is the key component. We have to think of visitors in terms of what roles they have and what permissions we've granted those roles. Then instead of just thinking about trusted vs. untrusted users, we are thinking about trusted vs. untrusted roles.

On your site, which roles are trusted and which are untrusted? What permissions have you given to those roles? What permissions have you granted to the Anonymous role and thus to anonymous visitors? As you build and add features to your site you are also widening the available points for attack. If you have allowed users to create accounts without administrator approval you should also consider what permissions you've granted the Authenticated role. Can authenticated users create content or post comments without approval?

Know the defaults

Community contributed modules as a whole are more insecure than Drupal core so it's especially important to be cautious about administrator permissions created by contributed modules. Role management can be burdensome so there are modules that grant roles to users upon account creation. Know the defaults, because most Security Advisories for contributed modules are because of cross-site scripting vulnerabilities and often exist on module administration screens where user-supplied data is not properly filtered. Whenever possible, utilize the principle of least privilege and give roles only the permissions they absolutely need. Grant those roles appropriately based on trust and what features need to be exposed for use.

"Super-permissions"

A few Drupal permissions should never be added to untrusted roles, as they allow or open up full control of your site. These permissions are:

Administer filters
Administer users
Administer permissions
Administer content types
Administer site configuration

To help keep your site secure, rethink which roles are trusted and untrusted, then evaluate what roles are granted to which users.

Drupal Security presentation slides from BADCamp

Ben Jeavons — Sun, 18 Oct 2009 19:33:49 +0000

At the Bay Area Drupal Camp yesterday I presented on Drupal Security for site administrators and beginners which covered some of the important ways you can protect your site from attacks through configuration of Drupal core. Attached are the slides from the presentation.

Attachment	Size
drupal_security_badcamp09.pdf	465.01 KB

Drupal text filtering decision cheat sheet

greggles — Thu, 08 Oct 2009 16:39:54 +0000

This flowchart is based on the one that Heine Deelstra presented at Drupalcon Paris.

I'm hopeful that the presentation will be helpful in eliminating Drupal's most common security issue!

Attachment	Size
filtering_text.pdf	55.82 KB

Cracking Drupal - Drupal