Contrib.social

Avoid creation of administrator role during installation with default profile

Open on Drupal.org β†’
Created on 10 November 2014, over 10 years ago
Updated 21 April 2025, 4 months ago

Hi everybody,

As I stated here ( https://www.drupal.org/node/2370057 β†’ ) I think that it is really a risky security issue that on default installation profile a role with role id 3 is created as the administrator role. Due to Drupalgeddon security issue I found several projects where hacker created users got this role id 3 by default. For sure hackers have much success when they are able to create users by a security lack and they give them this role id as many Drupal sitebuilders and programmers will not have changed this role pre-defined by installation profile.

My suggestion:
- avoid creation and pre-defining of administration role in any installation profile in core

Best,
Tobias

πŸ“Œ Task
Status

Postponed: needs info

Version

11.0 πŸ”₯

Component

install system

Created by

πŸ‡©πŸ‡ͺGermany tobiberlin Berlin, Germany

Live updates comments and jobs are added and updated live.
  • stale-issue-cleanup

    To track issues in the developing policy for closing stale issues, [Policy, no patch] closing older issues

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 4 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Thank you for creating this issue to improve Drupal.

    We are working to decide if this task is still relevant to a currently supported version of Drupal. There hasn't been any discussion here for over 8 years which suggests that this has either been implemented or is no longer relevant. Your thoughts on this will allow a decision to be made.

    Since we need more information to move forward with this issue, the status is now Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.

    Thanks!

  • Status changed to Closed: outdated 2 days ago
  • Comment 2 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Since there's been no follow up and not creating this role would be highly disruptive going to close out

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024