| Functions in PostgreSQL can be created with the SECURITY DEFINER option. When SECURITY DEFINER functions are executed by a user, said function is run with the privileges of the user who created it. |
To list all functions that have SECURITY DEFINER, as, the DBA (shown here as "postgres"), run the following SQL:
$ sudo su - postgres
$ psql -c "SELECT nspname, proname, proargtypes, prosecdef, rolname, proconfig FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef OR NOT proconfig IS NULL"
In the query results, a prosecdef value of "t" on a row indicates that that function uses privilege elevation.
If elevation of PostgreSQL privileges is utilized but not documented, this is a finding.
If elevation of PostgreSQL privileges is documented, but not implemented as described in the documentation, this is a finding.
If the privilege-elevation logic can be invoked in ways other than intended, or in contexts other than intended, or by subjects/principals other than intended, this is a finding.