neen Posted October 23, 2006 Posted October 23, 2006 Is this supposed to be a "feature"?!This seems like a very great security risk. What if someone turns rogue and decides to wipe out half the forums?I know I can restrict them in the ACP....but this seems kind of....silly, to not be able to demote another admin when you are the root admin.
neen Posted October 23, 2006 Posted October 23, 2006 No, it won't let me.When I load their profile in the ACP, it says this under Member Group Options:Primary Member Group: Root Admin or Administrator (Can't Change)When I try to edit my own profile, it tells me: "You are not permitted to edit root administrators."
New Display Name Posted October 23, 2006 Posted October 23, 2006 l just demoted an admin down to member and back again, no problem.l then made them root admin, and then demoted them again.It looks like you're doing something wrong, or you're admin and they're root admin.
Root0101 Posted October 23, 2006 Posted October 23, 2006 No, it won't let me.When I load their profile in the ACP, it says this under Member Group Options:Primary Member Group: Root Admin or Administrator (Can't Change)When I try to edit my own profile, it tells me: "You are not permitted to edit root administrators."Are you sure? I can edit every admin's profile. Are you in the root admin group?
neen Posted October 23, 2006 Posted October 23, 2006 Are you sure? I can edit every admin's profile. Are you in the root admin group?I'm positive, and yes I am in the root admin group (as my secondary group), as specified by the error message above.
Root0101 Posted October 23, 2006 Posted October 23, 2006 I'm positive, and yes I am in the root admin group (as my secondary group), as specified by the error message above.Well I tested it, and true enough, you will not be able to edit any root administrator if you're in secondary group as root admin. Perhaps you need root admin as your primary group to do that. :)
theclub Posted October 23, 2006 Posted October 23, 2006 If you're a root admin as a secondary group you are not a true root admin, should you be editing other admin, or are you just getting some hacking practice in? :rolleyes:
Jason H Posted October 23, 2006 Posted October 23, 2006 If you're a root admin as a secondary group you are not a true root admin, should you be editing other admin, or are you just getting some hacking practice in? :rolleyes:*DING*If you're a root admin as a secondary account, you are only an admin. Try going to ACP->Admin->SQL Toolbox. You can't do that either.
neen Posted October 23, 2006 Posted October 23, 2006 If you're a root admin as a secondary group you are not a true root admin, should you be editing other admin, or are you just getting some hacking practice in? :rolleyes:Well, It's my own board.The reason I did that was because I didn't want users to see the difference between the two groups - I wanted them to appear as one, but I don't want the other admins in the root admin group..Technically, it should work as expected, since you are supposed to inherit greater permissions!So, can we confirm this as a bug? Or is this actually a feature?
Why Two Kay Posted October 23, 2006 Posted October 23, 2006 It's been there as long as there has been a difference between "Root Admin" and "Admin". I believe it's a security feature.
theclub Posted October 23, 2006 Posted October 23, 2006 So, can we confirm this as a bug? Or is this actually a feature?It's a feature.
widnes limousines Posted October 23, 2006 Posted October 23, 2006 DOH!!!! :lol: :huh: :unsure: :whistle: :ph34r: :shifty: >_<
neen Posted October 23, 2006 Posted October 23, 2006 It seems more like a bug, since you are supposed to inherit the greater permissions...
Mat Barrie Posted October 23, 2006 Posted October 23, 2006 It seems more like a bug, since you are supposed to inherit the greater permissions...Except that IPS widely recognises having Administrators/Root Administrators as a Secondary Groups is a security risk because it is all too easy for them to go unnoticed by the administration. This is a feature not a bug and IMO should stay as it is.
S.D. Posted October 23, 2006 Posted October 23, 2006 It's been there as long as there has been a difference between "Root Admin" and "Admin". I believe it's a security feature.but it was only implemented correctly in 2.1.xyou can promote yourself to root admin in 2.0.x and below
S.D. Posted October 23, 2006 Posted October 23, 2006 Except that IPS widely recognises having Administrators/Root Administrators as a Secondary Groups is a security risk because it is all too easy for them to go unnoticed by the administration. This is a feature not a bug and IMO should stay as it is."List All Administrators" in Admin CP shows who has admin access through a secondary groups
bfarber Posted October 23, 2006 Posted October 23, 2006 If you have member A who is a primary root admin, and member B who is a secondary root admin account, we don't want member A being able to edit member B's status - in 99% of most cases, member B would be "higher up" than member A. It's working as intended.
neen Posted October 23, 2006 Posted October 23, 2006 If you have member A who is a primary root admin, and member B who is a secondary root admin account, we don't want member A being able to edit member B's status - in 99% of most cases, member B would be "higher up" than member A. It's working as intended.My setup is this:I have many admin on my site. I want to appear as one of these admin to normal members, and be in the same group as these admin, but I want to have the "power" of the root admin.It seems to me that there should be some sort of override available to someone in the primary root admin group. What it could do is grant "root admin" powers through a checkbox in the Member Group part of a user's profile. Naturally, only someone in the root admin group should be able to do this, and it should require the user's secondary group to be set to the root admin group.Is there a solution to this aside from putting them all in the admin group?
Mat Barrie Posted October 23, 2006 Posted October 23, 2006 "List All Administrators" in Admin CP shows who has admin access through a secondary groupsThat was a VERY recent change. Until then, you'd have no idea until they launched a full scale attack that they held administrative priviledges
Mat Barrie Posted October 23, 2006 Posted October 23, 2006 My setup is this:I have many admin on my site. I want to appear as one of these admin to normal members, and be in the same group as these admin, but I want to have the "power" of the root admin.It seems to me that there should be some sort of override available to someone in the primary root admin group. What it could do is grant "root admin" powers through a checkbox in the Member Group part of a user's profile. Naturally, only someone in the root admin group should be able to do this, and it should require the user's secondary group to be set to the root admin group.Is there a solution to this aside from putting them all in the admin group?Can I just quickly ask WHY you'd want to do this? There really isn't a benefit to it. If you really must not be a Root Administrator, just create a second account and rebind all your posts to it - and have the Root Administrator as a "Do Not Use Except In Case Of Emergency" thing. In fact, that also improves your security in the same way as on Windows you shouldn't browse the internet logged in as Administrator.
neen Posted October 24, 2006 Posted October 24, 2006 Can I just quickly ask WHY you'd want to do this? There really isn't a benefit to it. If you really must not be a Root Administrator, just create a second account and rebind all your posts to it - and have the Root Administrator as a "Do Not Use Except In Case Of Emergency" thing. In fact, that also improves your security in the same way as on Windows you shouldn't browse the internet logged in as Administrator.I can do that, and I thought of doing that actually.I wanted to do it this way because it made it easier. I just wanted the members to see me in the same group as the others, since we are really all equal.
neen Posted October 24, 2006 Posted October 24, 2006 Can I just quickly ask WHY you'd want to do this? There really isn't a benefit to it. If you really must not be a Root Administrator, just create a second account and rebind all your posts to it - and have the Root Administrator as a "Do Not Use Except In Case Of Emergency" thing. In fact, that also improves your security in the same way as on Windows you shouldn't browse the internet logged in as Administrator.I can do that, and I thought of doing that actually.I wanted to do it this way because it made it easier. I just wanted the members to see me in the same group as the others, since we are really all equal.
neen Posted October 24, 2006 Posted October 24, 2006 Can I just quickly ask WHY you'd want to do this? There really isn't a benefit to it. If you really must not be a Root Administrator, just create a second account and rebind all your posts to it - and have the Root Administrator as a "Do Not Use Except In Case Of Emergency" thing. In fact, that also improves your security in the same way as on Windows you shouldn't browse the internet logged in as Administrator.I can do that, and I thought of doing that actually.I wanted to do it this way because it made it easier. I just wanted the members to see me in the same group as the others, since we are really all equal.
.KX Posted October 24, 2006 Posted October 24, 2006 Nice triple post.Well if you are all equal then just make 'em all Root's LOL.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.