Query goal: | Find roles that a member can grant to others, i.e., the role has been granted with ADMIN OPTION. The number of privileges that can be passed on should be as small as possible. |
Query type: | Problem detection (Each row in the result could represent a flaw in the design) |
Query reliability: | High (Few or no false-positive results) |
Query license: | MIT License |
Fixing suggestion: | Revoke WITH ADMIN OPTION privilege. |
Data source: | system catalog only |
SQL query: | Click on query to copy it
SELECT role.rolname AS role, member.rolname AS member, grantor.rolname AS grantor, inherit_option, set_option FROM pg_auth_members AS pam, pg_authid AS role, pg_authid AS member, pg_authid AS grantor WHERE pam.roleid=role.oid AND pam.member=member.oid AND pam.grantor=grantor.oid AND member.rolname !~'^pg_' AND admin_option=TRUE ORDER BY role, member; |
SQL query | Description |
---|---|
WITH privs AS (SELECT role.rolname AS role, member.rolname AS member, grantor.rolname AS grantor, inherit_option, set_option FROM pg_auth_members AS pam, pg_authid AS role, pg_authid AS member, pg_authid AS grantor WHERE pam.roleid=role.oid AND pam.member=member.oid AND pam.grantor=grantor.oid AND member.rolname !~'^pg_' AND admin_option=TRUE) SELECT format('REVOKE ADMIN OPTION FOR %1$s FROM %2$I;', role, member) AS statements FROM privs ORDER BY role, member; | Revoke WITH ADMIN OPTION. |
Collection name | Collection description |
---|---|
Find problems automatically | Queries, that results point to problems in the database. Each query in the collection produces an initial assessment. However, a human reviewer has the final say as to whether there is a problem or not . |
Category name | Category description |
---|---|
Security | Queries of this category provide information about the security measures. |
Reference |
---|
https://www.postgresql.org/docs/current/catalog-pg-auth-members.html |