How to prevent Admin from promoting himself to Super Admin

Posted in xn--kfs74mzzid01b.com edit by admin on January 7th, 2009

  • I am sole Super Admin/Owner of my forum and I have a Supermod I would like to promote to Admin and give him most of the Admin CP functions but not give him Usergroups, Access Masks and Forums. I set up a new Admin usergroup and gave access to Users but not Usergroups and Access masks. I then created a Test Admin account with the above permissions and I was able to log in as the Test Admin account and promote myself to Super Admin by changing the primary usergroup in the profile. I was then able to see the Super Admin forum and I do not wish normal Admins to have access to this.

    How do I prevent this?

    I am happy to have him able to moderate normal users in the Admin CP but I don't want him to be able to change his own Usergroup or give himself access to the Super Admin forum.

    I have already made the necessary adjustments in the config.php file to make my own account unalterable and undeleteable.


  • The Super Admin I was speaking about is the usergroup which I designated as Super Admins and given only this user group access to the private forum. I am the only member of this usergroup. I want this one forum to be private only for me, so I don't want the new admin to be able to change his usergroup and view it.

    So how do I keep a new admin out of the private forum? It's mainly my privacy I want to protect, I am the sort who doesn't let my husband look in my purse either LOL!


  • You need to set the appropriate permissions:

    Admin CP -> Usergroups -> Administrator Permissions


  • The only way someone can become a Super Admin is by editing the vB config.php file. If they don't have FTP access then they can't do this.


  • A "Super" Admin is not defined by any particular Usergroup. It's determined solely by your config.php file, which other admins can't touch unless you give them FTP access to your Includes folder.

    Think about it. When you started your own community, and created the UserID=1 account, there wasn't a UserID=0 account to appoint yourself with admin powers - there was only config.php. Without it, you could've only began as a Registered User, and never tapped into your own Admin CP.

    Now just because someone else is in the same Usergroup as you, does not mean they are a "Super" Admin. If they try to rise themselves above a "Co-Admin" or whatever you're established for them, all they can really do is give themselves more Moderator Permissions, if anything. They could change themselves to the same Usergroup as you, but you still have the ultimate authority on whether they can:

    Administer Settings
    Administer Styles
    Administer Languages
    Administer Forums
    Administer Threads
    Administer Calendars
    Administer Users
    Administer User Permissions
    Administer FAQs
    Administer Avatars / Icons / Smilies
    Administer BB Codes
    Administer CRON
    Run Maintenance Tools
    Administer Plugins

    All of the No boxes you already selected for a specific Administrator, do not suddenly become Yes, just because they're the same Usergroup as you. They could even try appointing other Administrators, but the fact is, everything on that checklist will be an automatic No for any new Administrators unless a REAL Super Administrator (dictated solely by config.php) manually specifies otherwise.

    Even if a fellow Super Administrator (which you don't actually have) were trying to hijack your community, you could change the password on your database, then start temporarily running a vBulletin setup in a subfolder or subdomain that nobody knows about, with a modified config.php file to include the new database password, then you log in under your old account (if it's still accessible) or a new account whose UserID you'll include in config.php, then you clean up the mess while nobody else could possibly interfere. You can also tap into your database with phpMyAdmin (under Settings > AllowRegistration=1) when a rogue admin has tried to cover all the bases they could.

    There really is no way for someone to successfully hijack a vBulletin community. The most they could do if you gave them complete FTP/database access, is start their own fork of your database, and hope that the userbase will jump ship with them to wherever else they go, and they'd need to buy or lease a separate vBulletin license, because they couldn't change the official URL associated with yours.

    I have three official Administrators, and I'm not going to lose any sleep at night over what could happen if one of them went rogue, or if one of their accounts got 'hacked', because in the end it all boils down to the config.php file, plus they may be able to prune the Control Panel logs after changing the password on my account and using my account themselves, but they can't prune Apache logs.


  • Thanks Steve and Glathannus, appreciate the help!







    • #If you have any other info about this subject , Please add it free.#
    Your name:
    E-mail:
    Telphone:

    Your comments:


    If you have any other info about How to prevent Admin from promoting himself to Super Admin , Please add it free.
    Protect Your Computer from Viruses-Using Anti Virus
    IBM Rational IDE tops survey