Drupal advanced ACLs for "untrusted" administrators
I have a multi-site Drupal-6 installation containing websites of different customers.
On each site, there is an "administrator" role that includes mainly the customer's account. We want to give as many permissions as possible to this privileged user, but this could bring to security leaks using just the Drupal Core permissions management system.
The main thing to avoid is the customer account being able to run PHP code on the server (that would be like being logged on the server as the www-data user.. sounds really bad).
To avoid that, it is not sufficient to deny PHP code evaluation for the role. Since the administrator role must have permissions to manage users, he could also change the password of the user #1 and login in the site as superadmin.
The second goal would be to deny also some "confusing" administrative pages (such as module selection) but not others (such as site informations configuration, or theme selection, etc.)
I found the User One module that seems to fix the first proble开发者_运维问答m, but I have no idea on how to solve the second one. I found some modules around, but no-one seems to fit.. it seems like the most ACLs are thought to protect the content, and not the site itself, as if the site administrator would always be the server owner itself..
I feel your pain - quite a lot of the administrative functionality is insufficiently granular concerning access control options, and while there are many modules that address one or more specific shortcomings, I have not yet found the general module for this.
That said, and given your multi-site setup, you might want to take a closer look at the Domain Access module and its multiple 'offspring'. While mainly aimed at running a set of affiliate sites on different domains that share some content while keeping other content domain specific, it also contains many tweaks to assist in organizing and administrating such a setup. So it could offer some of the features you're looking for. But be warned - the module is quite a beast in complexity and I'd only recommend using it if it fits your setup in general, not to gain just one or two ACL features.
Remove administer users from the role so they can't change passwords. Encourage users to do password resets.
As for assigning user roles, you can use the Role Delegation module, and for node publishing, the Override Node Options module.
http://drupal.org/project/role_delegation
http://drupal.org/project/override_node_options
The second module will let you remove the 'administer nodes' permission, removing a lot of 'overreaching power' from the role.
You can delete the php module from the modules directory. As long as you are not using any php pages it can be removed.
I just wrote the PermMill module to fix the too-large permissions issue.
The code is not on the official drupal.org CVS yet, but coming soon..
I hope that this module could be useful to someone else who reaches this question.
[UPDATE] 2010-04-15 19:30 +0200: I just uploaded code to CVS, and the first 6.x-1.x-dev tarball is coming out tomorrow at about 0:00 AM GMT..
精彩评论