Time: 16:30 - 17:20
Room: PGDay at Hilton
For all combinations of who/which/what, list who currently has which type of permissions for what objects in your most important database(s)? It shouldn’t be that hard to figure out, right? Would you be willing to bet your job that you have given a complete and correct answer, even if this were an open book test with access to the server and ample time?
This talk seeks to dive deep into the weeds on the topic of how roles interact with Postgres default behaviors, role attributes, and object privileges, resulting in a particular discretionary access control (DAC) security posture. In order to do that an extension called "check_access" will be used to explore the who/which/what of access control.
Specifically the talk will cover: Properties of Postgres roles (attributes, membership, privileges, and settings), and the nuances of how they interact. Installation and use of the check_access extension Creation of fairly simple sample set of objects and roles In depth analysis of the resulting access profile A related aside on CVE-2018-1058: explanation, exploitation, and protection Recommended final cleanup and results
The audience is anyone interested in security within their PostgreSQL database.