Documente Academic
Documente Profesional
Documente Cultură
by Ian Hoogeboom on March 17, 2010 20 comments From a more DBA point of view, I would like to go in more detail in response to Marcels blog about APEX web service references and ACL. With ACLs, Oracle offers more fine-grained access control for users to access external network resources. The packages UTL_MAIL, UTL_SMTP, UTL_HTTP, UTL_TCP etc. allow communication beyond the database server to the outside world, but when granted access, all hosts can be accessed. This can be interpreted as a security flaw as no login is required when using UTL_TCP for example. DBAs are advised to revoke the execute privileges from public on these kind of packages. Since Oracle 11g, the Access Control List is introduced. You not only can control who has access to these packages by granting, but now you can also control which resources they can call. For instance, when a user is granted to send emails using UTL_MAIL, you can also control that he/she is only able to send through a specified mail server. At first this looks like a obstacle (ORA-24247), but since the Voyager worm struck Oracle databases a year ago, it is introduced as an extra security measurement. I will use the UTL_MAIL package as an example, please scroll to the end of this blog to enable UTL_MAIL as it is disabled by default.
ERROR at line 1: ORA-24247: network access denied by access control list (ACL) ORA-06512: at "SYS.UTL_MAIL", line 654 ORA-06512: at "SYS.UTL_MAIL", line 671 ORA-06512: at line 1
This is because the SCOTT does not have the privilege to access the mail/smtp server. So it must be added to the ACL.
Add Privilege
Great, now that the ACL is created, you can add more privileges like the resolve privilege:
begin dbms_network_acl_admin.add_privilege ( acl => 'utl_mail.xml', principal => 'SCOTT', is_grant => TRUE, privilege => 'resolve' ); commit;
end;
Assign ACL
Cool, you granted SCOTT to connect and resolve, but you have not defined to which resources he is allowed to connect:
begin dbms_network_acl_admin.assign_acl( acl => 'utl_mail.xml', host => 'smtp server host name or address' ); commit; end;
Try again
SQL> connect scott/tiger Connected. begin utl_mail.send( sender => 'scott@tiger.com', recipients => 'john@doe.org', message ); => 'Hello World'
Create ACL, add privileges and assign the ACL with ports
Run as SYS:
begin dbms_network_acl_admin.create_acl ( acl => 'utl_http.xml', description => 'HTTP Access', principal is_grant privilege start_date end_date ); dbms_network_acl_admin.add_privilege ( acl principal is_grant privilege => 'utl_http.xml', => 'SCOTT', => TRUE, => 'resolve', => 'SCOTT', => TRUE, => 'connect', => null, => null
start_date => null, end_date => null ); dbms_network_acl_admin.assign_acl ( acl => 'utl_http.xml', host => 'www.tiger.com', lower_port => 80, upper_port => 80 ); commit; end;
The hosts parameter in dbms_network_acl_admin.assign_acl, can also contain wild cards like *.tiger.com or even *.
Try again
Run as SCOTT:
SQL> select utl_http.request('http://www.tiger.com') from dual; UTL_HTTP.REQUEST('HTTP://WWW.TIGER.COM') ----------------------------------------
[result here]
Now try to access the same URL, but with another port. You will see this fails, because only port 80 is privileged.
SQL> select utl_http.request('http://www.tiger.com:1234') from dual; select utl_http.request('http://www.tiger.com:1234') from dual * ERROR at line 1: ORA-29273: HTTP request failed ORA-06512: at "SYS.UTL_HTTP", line 1722 ORA-24247: network access denied by access control list (ACL) ORA-06512: at line 1
You can specify lower and upper ports like a range when assigning ACLs.
dba_network_acls
You can view ACLs and privileges by querying dba_network_acls.
select host, lower_port, upper_port, acl from dba_network_acls where ACL='/sys/acls/'utl_http.xml';
Unassign ACL
begin dbms_network_acl_admin.unassign_acl( acl => 'utl_http.xml', host => 'www.tiger.com', lower_port => 80, upper_port => 80 ); end;
Delete Privilege
begin dbms_network_acl_admin.delete_privilege( 'utl_http.xml', 'SCOTT', NULL, 'connect' ); end;
Drop ACL
begin dbms_network_acl_admin.drop_acl( 'utl_http.xml' ); end;
Enabling UTL_MAIL
In these examples I use UTL_MAIL, this package is disabled by default, run the following statements as SYS to enable it:
SQL> SQL> SQL> SQL> SQL> @?/rdbms/admin/utlmail.sql @?/rdbms/admin/prvtmail.plb alter system set smtp_out_server = '<smtp host>' scope=spfile; shutdown immediate startup