Privileges to execute routines

Query goal:

Find privileges to execute routines that have been given to non-superusers. Check as to whether it conforms to the principle of least privilege. Check that users that correspond to applications have all the necessary privileges. Users (applications) should use a database through virtual data layer. Thus, if they need to modify data in the database (in case of table functions read data), then they must execute a routine.

Notes about the query:

The query does not consider the routines that are a part of an extension. There could be multiple routines with the same name but with different parameters in the same schema (overloading). Thus, for the unique identification of the routine it is necessary to present also its parameters in addition to the schema name and routine name.

Query type:

General (Overview of some aspect of the database.)

Query license:

MIT License

Data source:

INFORMATION_SCHEMA+system catalog

SQL query:

Click on query to copy it

SELECT DISTINCT rp.routine_schema, rp.routine_name, pg_get_function_identity_arguments(translate(substring(rp.specific_name,'_[0-9]+$'),'_','')::int::oid) AS parameters, rp.grantee, rp.privilege_type, rp.is_grantable
FROM information_schema.routine_privileges AS rp
WHERE rp.routine_schema NOT IN (SELECT schema_name
FROM INFORMATION_SCHEMA.schemata
WHERE schema_name<>'public' AND
schema_owner='postgres' AND schema_name IS NOT NULL)  AND
NOT EXISTS (SELECT 1
FROM pg_catalog.pg_depend d inner join pg_catalog.pg_proc pc ON d.objid=pc.oid
WHERE EXISTS (SELECT 1 FROM pg_catalog.pg_extension e WHERE d.refobjid=e.oid) AND
pc.proname || '_' || pc.oid = rp.specific_name) AND
rp.routine_name NOT IN ('f_assume_you_must_use_files', 'f_check_format_comma_separated_list', 'f_check_password', 'f_default_value_with_no_match') AND
NOT EXISTS (SELECT 1
FROM pg_catalog.pg_roles r
WHERE rolsuper=TRUE AND rp.grantee=r.rolname)
ORDER BY rp.grantee, rp.routine_schema, rp.routine_name, parameters;

Collections where the query belongs to

Collection name	Collection description
Find problems by overview	Queries that results point to different aspects of database that might have problems. A human reviewer has to decide based on the results as to whether there are problems or not .

Collection name

Collection description

Find problems by overview

Queries that results point to different aspects of database that might have problems. A human reviewer has to decide based on the results as to whether there are problems or not .

Categories where the query belongs to

Category name	Category description
Security	Queries of this category provide information about the security measures.
User-defined routines	Queries of this category provide information about the user-defined routines

Category name

Category description

Security

Queries of this category provide information about the security measures.

User-defined routines

Queries of this category provide information about the user-defined routines

Reference materials for further reading

Reference
https://www.postgresql.org/docs/current/ddl-priv.html

Reference

https://www.postgresql.org/docs/current/ddl-priv.html