Query goal: | Find privileges to execute routines that have been given to non-superusers. Check as to whether it conforms to the principle of least privilege. Check that users that correspond to applications have all the necessary privileges. Users (applications) should use a database through virtual data layer. Thus, if they need to modify data in the database (in case of table functions read data), then they must execute a routine. |
Notes about the query: | The query does not consider the routines that are a part of an extension. There could be multiple routines with the same name but with different parameters in the same schema (overloading). Thus, for the unique identification of the routine it is necessary to present also its parameters in addition to the schema name and routine name. |
Query type: | General (Overview of some aspect of the database.) |
Query license: | MIT License |
Data source: | INFORMATION_SCHEMA+system catalog |
SQL query: | Click on query to copy it
SELECT DISTINCT rp.routine_schema, rp.routine_name, pg_get_function_identity_arguments(translate(substring(rp.specific_name,'_[0-9]+$'),'_','')::int::oid) AS parameters, rp.grantee, rp.privilege_type, rp.is_grantable FROM information_schema.routine_privileges AS rp WHERE rp.routine_schema NOT IN (SELECT schema_name FROM INFORMATION_SCHEMA.schemata WHERE schema_name<>'public' AND schema_owner='postgres' AND schema_name IS NOT NULL) AND NOT EXISTS (SELECT 1 FROM pg_catalog.pg_depend d inner join pg_catalog.pg_proc pc ON d.objid=pc.oid WHERE EXISTS (SELECT 1 FROM pg_catalog.pg_extension e WHERE d.refobjid=e.oid) AND pc.proname || '_' || pc.oid = rp.specific_name) AND rp.routine_name NOT IN ('f_assume_you_must_use_files', 'f_check_format_comma_separated_list', 'f_check_password', 'f_default_value_with_no_match') AND NOT EXISTS (SELECT 1 FROM pg_catalog.pg_roles r WHERE rolsuper=TRUE AND rp.grantee=r.rolname) ORDER BY rp.grantee, rp.routine_schema, rp.routine_name, parameters; |
Collection name | Collection description |
---|---|
Find problems by overview | Queries that results point to different aspects of database that might have problems. A human reviewer has to decide based on the results as to whether there are problems or not . |
Category name | Category description |
---|---|
Security | Queries of this category provide information about the security measures. |
User-defined routines | Queries of this category provide information about the user-defined routines |
Reference |
---|
https://www.postgresql.org/docs/current/ddl-priv.html |