4.6 Ensure excessive DML privileges are revoked

Information

DML (insert, update, delete) operations at the table level should be restricted to only authorized users. PostgreSQL manages table-level DML permissions via the GRANT statement.

Rationale:

Excessive DML grants can lead to unprivileged users changing or deleting information without proper authorization.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

If a given database user has been granted excessive DML privileges for a given database table, those privileges should be revoked immediately using the REVOKE SQL command.

Continuing with the example above, remove unauthorized grants for appreader user using the REVOKE statement and verify the Boolean values are now false.

postgres=# REVOKE INSERT, UPDATE, DELETE ON TABLE customer FROM appreader;
REVOKE

postgres=# select t.tablename, u.usename,
has_table_privilege(u.usename, t.tablename, 'select') as select,
has_table_privilege(u.usename, t.tablename, 'insert') as insert,
has_table_privilege(u.usename, t.tablename, 'update') as update,
has_table_privilege(u.usename, t.tablename, 'delete') as delete
from pg_tables t, pg_user u
where t.tablename = 'customer'
and u.usename in ('appwriter','appreader');

tablename | usename | select | insert | update | delete
----------+-----------+--------+--------+--------+--------
customer | appwriter | t | t | t | t
customer | appreader | t | f | f | f
(2 rows)

Note: For versions of PostgreSQL prior to version 15, CVE-2018-1058 is applicable and it is recommended that all privileges be revoked from the public schema for all users on all databases. If you have upgraded from one of these earlier releases, this CVE is not fixed for you during an upgrade. You can correct this CVE by issuing:

postgres=# REVOKE CREATE ON SCHEMA public FROM PUBLIC;
REVOKE

Default Value:

The table owner/creator has full privileges; all other users must be explicitly granted access.

See Also

https://workbench.cisecurity.org/benchmarks/17004

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1

Plugin: PostgreSQLDB

Control ID: 75b718a676d9844175be3ababae2439782679de3fa170fa3f537f3c7f8aa81da