Turning off Drupal's SuperUserPolicy to Harden the user/1 Account

Text

SuperUserPolicy

The Drupal user account user/1 is automatically granted special privileges.

As of Drupal 10.3 these privileges are governed by the newly introduced SuperUserPolicy

To manually enable or disabled the policy, update your sites/{sitename}/services.yml file and set  security.enable_super_user  true or false respectively, and clear your caches.

To speed up this process I created a basic Drush command: 

  • drush super:on
  • drush super:off

Source and instructions: https://gitlab.com/jpoesen/drush-commands 

Limitations / Warnings

You must REMOVE the Administrator role from user/1, otherwise that role will still grant user/1 all privileges.

Hardening Drupal

My process for hardening Drupal already involved:

  • blocking user/1 (so they can't log in via the traditional way)
  • giving user/1 a random user/pass (obscurity + nobody knows the password)
  • only authenticating with user/1 when absolutely necessary
  • logging in with drush uli (which generates a one-time login link)

My hardened process for authenticating as user/1:

  • ssh into remote server via vpn
  • drush super:on
  • drush cache:rebuild
  • drush user:login to generate 1-time login
  • do stuff
  • log out
  • drush super:off
  • drush cache:rebuild
     

Summary

  • remove administrator role from user/1
  • turn the policy on/off with drush super:on / drush super:off
  • clear cache after changing the policy

Comments