Query goal: | Find excessive privileges to use base tabes (for others than the owner of the base table). The excessive privileges are all that are not SELECT, INSERT, UPDATE, DELETE. |
Query type: | Problem detection (Each row in the result could represent a flaw in the design) |
Query reliability: | Medium (Medium number of false-positive results) |
Query license: | MIT License |
Fixing suggestion: | Revoke the excess privileges. |
Data source: | INFORMATION_SCHEMA+system catalog |
SQL query: | Click on query to copy it
SELECT tp.grantee, tp.table_schema, tp.table_name, t.table_type, tp.privilege_type FROM information_schema.table_privileges AS tp INNER JOIN information_schema.tables AS t ON t.table_schema=tp.table_schema AND t.table_name=tp.table_name WHERE t.table_type='BASE TABLE' AND tp.table_schema NOT IN (SELECT schema_name FROM INFORMATION_SCHEMA.schemata WHERE schema_name<>'public' AND schema_owner='postgres' AND schema_name IS NOT NULL) AND tp.privilege_type NOT IN ('SELECT','INSERT','UPDATE','DELETE') AND grantee <> ALL (SELECT tableowner FROM pg_catalog.pg_tables AS pt WHERE pt.schemaname=tp.table_schema AND pt.tablename=tp.table_name) ORDER BY grantee, tp.table_schema, tp.table_name; |
SQL query | Description |
---|---|
SELECT format('REVOKE %1$s ON TABLE %2$I.%3$I FROM %4$I;', tp.privilege_type, tp.table_schema, tp.table_name, tp.grantee) AS statements FROM information_schema.table_privileges AS tp INNER JOIN information_schema.tables AS t ON t.table_schema=tp.table_schema AND t.table_name=tp.table_name WHERE t.table_type='BASE TABLE' AND tp.table_schema NOT IN (SELECT schema_name FROM INFORMATION_SCHEMA.schemata WHERE schema_name<>'public' AND schema_owner='postgres' AND schema_name IS NOT NULL) AND tp.privilege_type NOT IN ('SELECT','INSERT','UPDATE','DELETE') AND grantee <> ALL (SELECT tableowner FROM pg_catalog.pg_tables AS pt WHERE pt.schemaname=tp.table_schema AND pt.tablename=tp.table_name) ORDER BY grantee, tp.table_schema, tp.table_name; | Revoke the privilege. |
Collection name | Collection description |
---|---|
Find problems automatically | Queries, that results point to problems in the database. Each query in the collection produces an initial assessment. However, a human reviewer has the final say as to whether there is a problem or not . |
Category name | Category description |
---|---|
Security | Queries of this category provide information about the security measures. |
Reference |
---|
https://www.postgresql.org/docs/current/ddl-priv.html |