4.4 Ensure excessive DML privileges are revoked

Information

DML (insert, update, delete) operations at the table level should be restricted to only authorized users. PostgreSQL manages table level DML permissions via the GRANT statement.

Rationale:

Excessive DML grants can lead to unprivileged users changing or deleting information without proper authorization.


NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

If a given database user has been granted excessive DML privileges for a given database table, those privileges should be revoked immediately using the REVOKE SQL command.
Continuing with the example above, remove unauthorized grants for appreader user using the REVOKE statement and verify the Boolean values are now false.
postgres=# REVOKE INSERT, UPDATE, DELETE ON TABLE customer FROM appreader;
REVOKE

postgres=# select t.tablename, u.usename,
has_table_privilege(u.usename, t.tablename, 'select') as select,
has_table_privilege(u.usename, t.tablename, 'insert') as insert,
has_table_privilege(u.usename, t.tablename, 'update') as update,
has_table_privilege(u.usename, t.tablename, 'delete') as delete
from pg_tables t, pg_user u
where t.tablename = 'customer'
and u.usename in ('appwriter','appreader');

tablename | usename | select | insert | update | delete
----------+-----------+--------+--------+--------+--------
customer | appwriter | t | t | t | t
customer | appreader | t | f | f | f
(2 rows)
With the publication of CVE-2018-1058, it is also recommended that all privileges be revoked from the public schema for all users on all databases:
postgres=# REVOKE CREATE ON SCHEMA public FROM PUBLIC;
REVOKE

Default Value:

The table owner/creator has full privileges; all other users must be explicitly granted access.

See Also

https://workbench.cisecurity.org/files/2407

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|5.1, CSCv7|5.1

Plugin: PostgreSQLDB

Control ID: 3734a526e40fb0fe331713f3a9920f124cc0fe7985af6b618a282cbff165d0e6