Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt November 11, 2024
The Clash Posted August 11, 2007 Posted August 11, 2007 Well, I've been forum-ing for ages now, and one thing I've noticed: the majority of boards have more than one administrator. Now, IPB comes with a Root group, and a regular Admin group. While this is a good idea, I'd like my admins to do more than non-root can (Mainly in the Admin tab). However, if I add them to the root group, then that opens up a security hole. I'm suggesting a line in the config file for an array of "Super Admins" - user numbers that can edit any and all accounts, but cannot be edited or deleted by anybody.
CaptainSlow Posted August 12, 2007 Posted August 12, 2007 Hi, now this is something I would also like to see be part of IP.Board.
MindTooth Posted August 12, 2007 Posted August 12, 2007 They would have been deletable by the root account ofcourse?What is the issue now? Can the a admin delete an other admin? If so, that is about stupid IMHO :P
Alex Posted August 13, 2007 Posted August 13, 2007 If your worried about 'SuperAdmins' editing or deleting your account, then they shouldnt really be admins at all? You should be able to trust them 100%
The Clash Posted August 14, 2007 Posted August 14, 2007 Not worried about other admins, worried about hackers/vulnerabilities their computers may have.
atomicknight Posted August 14, 2007 Posted August 14, 2007 Well, there's not all that much more that can be done by root administrators in comparison to non-root administrators. What exactly are you referring to?In any case, it's not that difficult to add a new field to the groups table that can be used to grant additional privileges if needed. As long as you don't add them to the root admin group, they can't do anything to root admins, which would then be your superadmin group.
Alex Posted August 15, 2007 Posted August 15, 2007 But what he is saying, even the way your saying makes those admin restricted, alot of things are restricted for ROOT admins, such as SQL toolbox, and admin logs.
atomicknight Posted August 17, 2007 Posted August 17, 2007 If you're worried about trustworthiness, the SQL toolbox is that last place you'd want them to access. Same with admin logs (I mean, you'd want to have some way of keeping tabs on them, no?). Really the only thing I can see to be useful is for viewing invisibly logged on users or something.Oh, and I've also just discovered that you can add the root admin as a secondary group and still have ACP restrictions applied on them. So that'd work to get around the "superadmin" issue (although I still don't see what restrictions would need or want to be overwritten).And again, it is not *too* difficult to change the few places that are explicitly "root admin only."
Alex Posted August 18, 2007 Posted August 18, 2007 Its not difficult at all, it just takes time, you only have to remove one if statement from the auto_run() function, and your good to go :)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.