Alright, I reviewed what's going on.
The security realm has a feature that allows the user who accesses the Jenkins home page ("/" URL) to sign up as admin if no user already exists.
A few problems:
- The major one: The form redirects to /manage, not /, so there's a login form shown, but there are no valid credentials. Why would anyone click the Jenkins logo to go to the home page to see a signup form?
- The minor one: If a user record exists, independent of any permissions assigned to that user, the signup isn't shown.
The minor issue is fairly unlikely in regular use IMO, it's just something I stumbled upon when investigating this.
The major one should be fixed though.
As long as you allow signup, the first user to do that becomes admin.
As long as anonymous is allowed to administer, you can still create users.
It's only relevant if you don't allow signup, and don't give the anonymous user any permissions. In that case, it's bad, true.