Query goal: | Be precise and do not give impossible privileges. |
Query type: | Problem detection (Each row in the result could represent a flaw in the design) |
Query reliability: | Medium (Medium number of false-positive results) |
Query license: | MIT License |
Fixing suggestion: | Revoke the unnecessary privileges. |
Data source: | INFORMATION_SCHEMA+system catalog |
SQL query: | Click on query to copy it
WITH non_updatable_view AS (SELECT table_schema AS view_schema, table_name AS view_name, is_updatable, is_insertable_into FROM Information_schema.views WHERE (is_insertable_into='NO' AND is_updatable='NO') AND table_schema NOT IN (SELECT schema_name FROM INFORMATION_SCHEMA.schemata WHERE schema_name<>'public' AND schema_owner='postgres' AND schema_name IS NOT NULL)), modify_priv AS (SELECT tp.grantee, tp.table_schema AS view_schema, tp.table_name AS view_name, array_agg(tp.privilege_type::TEXT) AS privileges FROM information_schema.table_privileges AS tp INNER JOIN information_schema.tables AS t ON t.table_schema=tp.table_schema AND t.table_name=tp.table_name WHERE t.table_type='VIEW' AND tp.table_schema NOT IN (SELECT schema_name FROM INFORMATION_SCHEMA.schemata WHERE schema_name<>'public' AND schema_owner='postgres' AND schema_name IS NOT NULL) AND tp.privilege_type IN ('INSERT','UPDATE','DELETE') AND grantee <> ALL (SELECT viewowner FROM pg_catalog.pg_views AS pv WHERE pv.schemaname=tp.table_schema AND pv.viewname=tp.table_name) GROUP BY tp.grantee, tp.table_schema, tp.table_name) SELECT view_schema, view_name, is_updatable, is_insertable_into, grantee, privileges FROM non_updatable_view INNER JOIN modify_priv USING (view_schema, view_name) ORDER BY grantee, view_schema, view_name; |
SQL query | Description |
---|---|
WITH non_updatable_view AS (SELECT table_schema AS view_schema, table_name AS view_name, is_updatable, is_insertable_into FROM Information_schema.views WHERE (is_insertable_into='NO' AND is_updatable='NO') AND table_schema NOT IN (SELECT schema_name FROM INFORMATION_SCHEMA.schemata WHERE schema_name<>'public' AND schema_owner='postgres' AND schema_name IS NOT NULL)), modify_priv AS (SELECT tp.grantee, tp.table_schema AS view_schema, tp.table_name AS view_name, tp.privilege_type AS privilege FROM information_schema.table_privileges AS tp INNER JOIN information_schema.tables AS t ON t.table_schema=tp.table_schema AND t.table_name=tp.table_name WHERE t.table_type='VIEW' AND tp.table_schema NOT IN (SELECT schema_name FROM INFORMATION_SCHEMA.schemata WHERE schema_name<>'public' AND schema_owner='postgres' AND schema_name IS NOT NULL) AND tp.privilege_type IN ('INSERT','UPDATE','DELETE') AND grantee <> ALL (SELECT viewowner FROM pg_catalog.pg_views AS pv WHERE pv.schemaname=tp.table_schema AND pv.viewname=tp.table_name)), unnecessary_privileges AS (SELECT view_schema, view_name, is_updatable, is_insertable_into, grantee, privilege FROM non_updatable_view INNER JOIN modify_priv USING (view_schema, view_name)) SELECT format('REVOKE %1$s ON %2$I.%3$I FROM %4$I;', privilege, view_schema, view_name, grantee) AS statements FROM unnecessary_privileges ORDER BY grantee, view_schema, view_name; | Revoke the unnecessary privileges. |
Collection name | Collection description |
---|---|
Find problems automatically | Queries, that results point to problems in the database. Each query in the collection produces an initial assessment. However, a human reviewer has the final say as to whether there is a problem or not . |
Category name | Category description |
---|---|
Derived tables | Queries of this category provide information about the derived tables (views, materialized views), which are used to implement virtual data layer. |
Security | Queries of this category provide information about the security measures. |
Reference |
---|
https://en.wikipedia.org/wiki/Principle_of_least_privilege |