Is it a Security Risk for Nodes to Have Authorship of "Anonymous" (uid=0)

Events happening in the community are now at Drupal community events on www.drupal.org.
Shai's picture
Posted by Shai on September 22, 2011 at 4:42pm

Hi folks,

Is it a security risk for nodes to have a uid = 0?

I have a client in which I took over an existing site which was migrated from another CMS. The developer migrating the site assigned all the content to uid = 0 (About 1200 nodes).

My gut hates this, but before I tell the client it is a security risk, I want to know why, if it is.

The only thing I can think of is if the anonymous user role had the permission, "edit own content" or some other node permissions.

I would never assign those roles to Anonymous and I'm the only who can assign permissions on the site.

However, the whole UI for permissions is a big mess (this site is D6, D7 not that much better either), so it's possible that permission could get assigned by mistake.

And they could always fire me and have someone less competent take over :).

Is there something I'm missing?

Do you think the "accidental permission setting" problem is strong enough to urge the change?

Thanks,

Shai

Comments

I definitely suggest changing

Posted by greggles on September 23, 2011 at 9:38pm
greggles's picture

I definitely suggest changing them to be owned by a specific user. This is the kind of thing that doesn't bite you until years later you make a mistake and...

It's like keeping containers of flammable liquids next to the fireplace: it's not a problem as long as the seals on the containers work well.

2 weeks ago at the Boston meetup Kay from Own Sourcing mentioned how a site he was working on was bitten by this bug.

knaddison blog | Morris Animal Foundation

yes, that is a security risk

Posted by gerold on October 14, 2011 at 3:25am
gerold's picture

yes, that is a security risk as basically you let those contents owned by anonymous users. even if you tighten the permission at the moment, it could be changed by mistake when installing new modules/roles or when rebuilding permissions. you can also verify what anonymous users can see or access when visiting those contents.

we had a case in one of our client site where we deleted a users who owns contents and those contents were automatically assigned to uid=0, and anonymous users were able to change our content. we also came to point of creating a module that checks contents with uid=0 and set them to our default content owner. all in all i think it is not a good idea to let anything on the site owned by anonymous.

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: