Support

Admin Tools

#13250 Changing Super Adm

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 14 August 2012 01:13 CDT

Tuesday, 14 August 2012 00:30 CDT

user63470
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? No, but I have used Admin Tools Pro for a while and have successfully changed the Super User ID before. (see description below)
Joomla! version: 2.5.6
PHP version: 5.3.13
MySQL version: 5.5.24
Host: prefer not to say
Admin Tools version: 2.3.1 Pro

Description of my issue:
The Super User (Super Administrator) ID number got set to something other than 42 during installation: it set it to 171. How do i change it back to 42 so Admin Tools can change that and the Super User login name?

My Joomla template uses K2, and the template developer said, "K2 developers changed something messing this thing up. I hope they fix it some day. The quick and easy fix you can try is to change the userID value from #__users from 171 to 42 (phpMyAdmin), it's going to work for K2, I don't remember (I did this) if this works out for Joomla content too, you have to try trial and error and find what's best for you." Of course he recommended trying this on experimentally after backing up the site, which of course I have done.

I don't know where to find the userID value using phpMyAdmin, and I also don't know if that will work for Joomla content also, as he mentions. So please let me know where and how to change it.

Tuesday, 14 August 2012 01:03 CDT

nicholas
You don't need to do that. The only thing Admin Tools does is change your Super Administrator's numeric ID from the default (42) to a random one. Since your user ID is not the default (171 is different than 42) you needn't do anything about it. It's safe.

FWIW, the Admin Tools feature in question was conceived back in the Joomla! 1.5 days when the user ID would have always been 62 on installation. Since Joomla! 2.5.6 the Joomla! developers finally decided to follow a sane security practice and randomise the Super Administrator's user ID on installation. This makes Admin Tools' Super Admin ID change feature obsolete – once everyone has used at least Joomla! 2.5.6 to create their new sites, which will be true in about 12 months.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 14 August 2012 01:07 CDT

user63470
Thanks, but it might be useful to be able to change it anyway without expecting it to be 42. It should be a tiny bit of code to change to simply read the Super User ID and present it for changing if desired.

Tuesday, 14 August 2012 01:13 CDT

nicholas
I believe you don't understand a few things:

1. There can be much more than one Super Adminsitrators on your site
2. Super Administrator privileges can be assigned to any Joomla! group, even on Public; you just have to give the group "Super User" rights
3. The only reason using the default and KNOWN ID of 42 is that some attacks target the KNOWN numeric ID of the default Super Administrator account.

1 and 2 means that there is no reliable way to figure out who's a Super Administrator unless we process all groups and users. Say hello to timeout and memory outage errors, say goodbye to this feature working..

Number 3 means that this class of attacks (and the necessity for this Admin Tools feature) is in its deathbed. Why? Because the username is mostly unknown (you can change it during the installation) and since Joomla! 2.5.6 the numeric user ID of the default Super Administrator is also random. This means that a casual attacker can not craft SQL injection queries targeting your Super Administrator account(s) since both the username and the password are unknowns. Back in the Joomla! 1.5 days neither was unknown and made your site a sitting duck.

As a result, what you request is a pointless feature which serves no purpose whatsoever.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!