| Author |
Message |
rebelt
Worker
Joined: May 07, 2006
Posts: 172
|
 Posted:
Fri Sep 07, 2012 10:06 am |
|
Had a message from a superuser admin.
| Quote: | | I cannot change my password. Every time I go Admin-Users-Admin I get ip blocked. I have now protected my ip from being blocked, if i go Users-Admin I now get Access Denied. |
Could anyone help with this please. |
_________________
I wish I knew what I was doing LOL |
|
 
|
|
neralex
Site Admin
Joined: Aug 22, 2007
Posts: 1772
|
| Posted:
Fri Sep 07, 2012 10:52 am |
|
Only the god admin user can modify other admin accounts. |
Last edited by neralex on Fri Sep 07, 2012 4:15 pm; edited 1 time in total |
|
|
|
|
rebelt
|
| Posted:
Fri Sep 07, 2012 12:39 pm |
|
I thought they could modify their own account though. Is that not the case then? |
| |
|
|
|
|
rebelt
|
| Posted:
Mon Sep 10, 2012 9:10 am |
|
Just a bump really. 
So can a superuser change their own password or not?
Thanks
Edit: worked out the other question so removed it. |
| |
|
|
|
|
neralex
|
| Posted:
Mon Sep 10, 2012 9:43 am |
|
Its a simple answer: no. 
Only the god admin user can modify admin accounts. That is the reason why get the message: "Access Denied". Try it self... |
Last edited by neralex on Mon Sep 10, 2012 9:48 am; edited 1 time in total |
|
|
|
|
rebelt
|
| Posted:
Mon Sep 10, 2012 9:47 am |
|
Thanks.
I recommended he changed his password every now and then, now I'll have to tell him he can't.
Seems strange a user can change their password but an admin can't though. |
| |
|
|
|
|
neralex
|
| Posted:
Mon Sep 10, 2012 9:54 am |
|
Its not strange - this is best solution. Remember, the admin pw is the AUTH in the .staccess file and only you as god admin can write the .staccess. Admins should always be administered by only an account. Everything else is in my eyes a security risk. |
Last edited by neralex on Mon Sep 10, 2012 9:59 am; edited 2 times in total |
|
|
|
|
rebelt
|
| Posted:
Mon Sep 10, 2012 9:56 am |
|
Fair enough.
Thanks again |
| |
|
|
|
|
fkelly
Former Moderator in Good Standing
Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY
|
| Posted:
Mon Sep 10, 2012 3:23 pm |
|
Anyone with PHPmyadmin access can change any password, anytime for anyone. |
| |
|
|
|
|
neralex
|
| Posted:
Mon Sep 10, 2012 4:05 pm |
|
Anyone with PHPmyadmin access can change the md5 hash, he must decrypt the PW to get it but if anyone has access to PHPmyadmin, then he has a god-admin user and don't need the PHPmyadmin access for changing a super-user PW but a super-user without a PHPmyadmin access needs anyone with a god-admin user to change the own PW. This is an fact, too! |
| |
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Sun Sep 16, 2012 9:04 am |
|
These are good points that you bring up. Just to clarify a bit though, there are up to two passwords associated with an Admin: 1) admin.php login, which is what gets stored in the core *Nuke DB table, and 2) if enabled, the .staccess protection of admin.php file itself (really an Apache provided protection).
For 1), I do find it odd that one cannot change their password. Maybe that should be allowed and brought in as a feature.
However, for 2), this is more of a site owner/operator decision point on whether access to admin.php should be changed and it is separate from 1) and managed and stored in a NukeSentinel(tm) table. This one needs to be managed still, in my opinion, by the site owner/operator, otherwise known as the "God" admin.
Thoughts? |
_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
