| Query goal: | Find roles that a member can grant to others, i.e., the role has been granted with ADMIN OPTION. The number of privileges that can be passed on should be as small as possible. |
| Query type: | Problem detection (Each row in the result could represent a flaw in the design) |
| Query reliability: | High (Few or no false-positive results) |
| Query license: | MIT License |
| Fixing suggestion: | Revoke WITH ADMIN OPTION privilege. |
| Data source: | system catalog only |
| SQL query: | Click on query to copy it
SELECT role.rolname AS role, member.rolname AS member, grantor.rolname AS grantor, inherit_option, set_option FROM pg_auth_members AS pam, pg_authid AS role, pg_authid AS member, pg_authid AS grantor WHERE pam.roleid=role.oid AND pam.member=member.oid AND pam.grantor=grantor.oid AND member.rolname !~'^pg_' AND admin_option=TRUE ORDER BY role, member; |
| SQL query | Description |
|---|---|
WITH privs AS (SELECT role.rolname AS role, member.rolname AS member, grantor.rolname AS grantor, inherit_option, set_option FROM pg_auth_members AS pam, pg_authid AS role, pg_authid AS member, pg_authid AS grantor WHERE pam.roleid=role.oid AND pam.member=member.oid AND pam.grantor=grantor.oid AND member.rolname !~'^pg_' AND admin_option=TRUE) SELECT format('REVOKE ADMIN OPTION FOR %1$s FROM %2$I;', role, member) AS statements FROM privs ORDER BY role, member; | Revoke WITH ADMIN OPTION. |
| Collection name | Collection description |
|---|---|
| Find problems automatically | Queries, that results point to problems in the database. Each query in the collection produces an initial assessment. However, a human reviewer has the final say as to whether there is a problem or not . |
| Category name | Category description |
|---|---|
| Security | Queries of this category provide information about the security measures. |
| Reference |
|---|
| https://www.postgresql.org/docs/current/catalog-pg-auth-members.html |