Contrib.social

Require password for certain admin actions

Open on Drupal.org →
Created on 27 January 2025, 7 months ago

Problem/Motivation

Project browser allows installing new functionality to a site. This could be used by a malicious person who has taken over someone’s account, either by social engineering, or exploiting an XSS or other vulnerability which allows account takeover. The new functionality could chain to widen the initial vulnerability scope. For example, installing PHP module or adding backup & migrate to exfiltrate data.

This isn’t unique to project browser installing a module, there are other important actions which could be used by attackers to escalate security problem. For example, maybe setting an admin user’s password. These places could use an extra confirmation that the person is indeed who they say they are.

Examples from other systems:

  • MacOS system settings requires unlocking some settings
  • GitHub requires 2-factor-authentication for setting up webhooks

Proposed resolution

A common way to confirm a person would be good to have in core.

Asking for someone’s password to confirm would be a good first step. There might be a way to disable this in settings.php for development and environments where Drupal isn’t doing password authentication. A system to extend/override the confirmation would be ideal, but might be able to wait for a followup issue.

To avoid password fatigue, unlocking should persist for some time period, like an hour or two.

Remaining tasks

  • Figure out some details
  • Implement
  • Keep track of followups that aren’t needed for the initial feature

User interface changes

Yes, there is new UI for this.

Introduced terminology

Something along the lines of “unlock to make changes”

API changes

Should be usable by modules

Data model changes

Release notes snippet

Feature request
Status

Active

Version

11.1 🔥

Component

user system

Created by

🇺🇸United States drumm NY, US

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

  • Issue created by @drumm
  • Comment 7 months ago
    🇳🇿New Zealand quietone
  • Comment 7 months ago
    cilefen

    Could we consider re-branding this as "Require re-authentication for certain admin actions", to include more authentication setups?

  • Comment 4 months ago
    🇺🇸United States greggles Denver, Colorado, USA

    #3 makes a ton of sense to me. That would let sites do TFA codes as well if appropriate.

  • Comment 4 months ago
    🇬🇧United Kingdom catch

    I forgot this issue existed and opened 📌 Require password confirmation to install new code Active against project browser. Cross-linking the two issues.

  • Comment about 1 month ago
    🇺🇸United States phenaproxima Massachusetts

    Implementation idea: a route option (_reauthenticate: true) which redirects you to a reauthentication page, then forwards you on to the original destination if you pass the authentication.

  • Comment about 1 month ago
    🇬🇧United Kingdom catch

    We'll need this for 📌 Allow composer location to be configured via the UI Active too.

  • Comment 11 days ago
    🇬🇧United Kingdom catch

    Implementation idea: a route option (_reauthenticate: true) which redirects you to the login page (with your username pre-filled), then forwards you on to the original destination if you pass the authentication.

    This is interesting although not sure exactly how it'd work yet.

    The way I'd assumed this would happen is that we'd add a confirmation form to every place that needs this, that then also required adding the password (or some other auth method if supported). So you'd submit whichever form 'as normal' but then re-authentication would kick in after that. One issue with this could be consistency - modules would need to implement the confirmation form every time, even if we add a trait etc. to make that easier.

    Re-authentication before being able to get to the form at alll would potentially help in cases that information on the form might be sensitive.

    If we go for the route option, we'd need a new re-authentication route in system.module that's a password form by default but extensible/replaceable by other auth methods. Don't think it needs the username on it because you already know that if you're logged in.

    But also we'll need to store that the user has re-authenticated in a reliable way so they don't end up in an infinite loop. Would putting a timestamp into session be enough? Then we could check the timestamp before the redirect, and that's also an easy way to implement a re-authentication frequency setting without having to use the flood API - just make the recency of the timestamp configurable somewhere.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024