4.4 Ensure excessive DML privileges are revoked

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

DML (insert, update, delete) operations at the table level should be restricted to only authorized users. PostgreSQL manages table-level DML permissions via the GRANT statement.

Rationale:

Excessive DML grants can lead to unprivileged users changing or deleting information without proper authorization.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

If a given database user has been granted excessive DML privileges for a given database table, those privileges should be revoked immediately using the REVOKE SQL command.
Continuing with the example above, remove unauthorized grants for appreader user using the REVOKE statement and verify the Boolean values are now false.

postgres=# REVOKE INSERT, UPDATE, DELETE ON TABLE customer FROM appreader;
REVOKE

postgres=# select t.tablename, u.usename,
has_table_privilege(u.usename, t.tablename, 'select') as select,
has_table_privilege(u.usename, t.tablename, 'insert') as insert,
has_table_privilege(u.usename, t.tablename, 'update') as update,
has_table_privilege(u.usename, t.tablename, 'delete') as delete
from pg_tables t, pg_user u
where t.tablename = 'customer'
and u.usename in ('appwriter','appreader');

tablename | usename | select | insert | update | delete
----------+-----------+--------+--------+--------+--------
customer | appwriter | t | t | t | t
customer | appreader | t | f | f | f
(2 rows)

Note: For versions of PostgreSQL prior to version 15, CVE-2018-1058 is applicable and it is recommended that all privileges be revoked from the public schema for all users on all databases. If you have upgraded from one of these earlier releases, this CVE is not fixed for you during an upgrade. You can correct this CVE by issuing:

postgres=# REVOKE CREATE ON SCHEMA public FROM PUBLIC;
REVOKE

Default Value:

The table owner/creator has full privileges; all other users must be explicitly granted access.

See Also

https://workbench.cisecurity.org/files/4247

Item Details

References: CSCv7|5.1

Plugin: PostgreSQLDB

Control ID: c08e49fa5a87d918766bf4c227ae8bd81cae8df737589d19c6dd2b8917bfb041