Text
SuperUserPolicy
The Drupal user account user/1
is automatically granted special privileges.
As of Drupal 10.3 these privileges are governed by the newly introduced SuperUserPolicy.
To manually enable or disabled the policy, update your sites/{sitename}/services.yml
file and set security.enable_super_user
true or false respectively, and clear your caches.
To speed up this process I created a basic Drush command:
drush super:on
drush super:off
Source and instructions: https://gitlab.com/jpoesen/drush-commands
Limitations / Warnings
You must REMOVE the Administrator
role from user/1, otherwise that role will still grant user/1 all privileges.
Hardening Drupal
My process for hardening Drupal already involved:
- blocking user/1 (so they can't log in via the traditional way)
- giving user/1 a random user/pass (obscurity + nobody knows the password)
- only authenticating with user/1 when absolutely necessary
- logging in with
drush uli
(which generates a one-time login link)
My hardened process for authenticating as user/1:
- ssh into remote server via vpn
drush super:on
drush cache:rebuild
drush user:login
to generate 1-time login- do stuff
- log out
drush super:off
drush cache:rebuild
Summary
- remove administrator role from user/1
- turn the policy on/off with
drush super:on
/drush super:off
- clear cache after changing the policy
Comments