Beruflich Dokumente
Kultur Dokumente
Asim Jamal
Database Administrator
Oracle 11g Database Network Security
With ACL's, Oracle offers more fine-grained access control for users to access
external network resources. The packages UTL_MAIL, UTL_SMTP, UTL_HTTP,
UTL_TCP etc. allow communication beyond the database server to the outside
world, but when access is granted all hosts can be accessed. This can be
interpreted as a security flaw as no login is required when using UTL_TCP .
DBA's are advised to revoke the execute privileges from public on these kind of
packages.
Since Oracle 11g, the Access Control List is introduced. You not only can
control who has access to these packages by granting, but now you can also
control which resources they can call.
For instance, when a user is granted to send emails using UTL_MAIL, you can
also control that the user is only able to send through a specified mail server.
At first this looks like a obstacle (ORA-24247), but since the Voyager worm
struck Oracle databases a year ago, it is introduced as an extra security
measurement.
I. Configuration of UTL_MAIL :
The UTL_MAIL package is disabled by default in Oracle 11g .It needs to be
enabled to use the utility .
Execute the following statements as SYS to enable it .
SQL> @?/rdbms/admin/utlmail.sql
SQL>@?/rdbms/admin/prvtmail.plb
SQL>alter system set smtp_out_server = '<smtp host>'
scope=spfile;
SQL> shutdown immediate
SQL> startup
Begin
dbms_network_acl_admin.create_acl
(acl=> 'utl_mail.xml',
description => 'Allow mail to be send',
principal => 'SCOTT',
is_grant=> TRUE,
privilege => 'connect' );
commit;
end;
2.Adding a Privilege :
The ACL is created now & more privileges can be added like “resolve”
begin
dbms_network_acl_admin.add_privilege
( acl=> 'utl_mail.xml',
principal => 'SCOTT',
is_grant => TRUE,
privilege => 'resolve' );
commit;
end;
3. Assign a ACL :
Now XYZ has been assigned the connect & resolve privilege ,it needs to be
assigned which resources the user is allowed to connect .
begin
dbms_network_acl_admin.assign_acl
( acl =>'utl_mail.xml',
host => 'smtp server host name or address' );
commit;
end;
SQL > grant execute on utl_mail to ‘XYZ’;
SQL> @?/rdbms/admin/utlsmtp.sql
SQL>@?/rdbms/admin/prvtmail.plb
SQL>alter system set smtp_out_server = '<smtp host>'
scope=spfile;
SQL> shutdown immediate
SQL> startup
begin
dbms_network_acl_admin.create_acl (
acl => 'utl_smtp.xml',
description => 'utl_smtp',
principal => 'XYZ',
is_grant => TRUE,
privilege => 'connect',
start_date => SYSTIMESTAMP,
end_date => null
);
commit;
end;
2. Adding a Privilege :
The ACL is created now & more privileges can be added like “resolve”
begin
dbms_network_acl_admin.add_privilege
( acl=> 'utl_smtp',
principal => 'XYZ’
is_grant => TRUE,
privilege => 'resolve' );
commit;end;
3. Assign a ACL :
Now XYZ has been assigned the connect & resolve privilege ,it needs to be
assigned which resources the user is allowed to connect .
begin
dbms_network_acl_admin.assign_acl
( acl =>'utl_smtp',
host => 'smtp server host name or address' );
commit;
end;
SQL > grant execute on utl_smtp to ‘XYZ’;
begin
dbms_network_acl_admin.create_acl (
acl => 'utl_http.xml',
description => 'HTTP Access',
principal => 'XYZ',
is_grant => TRUE,
privilege => 'connect',
start_date => null,
end_date => null
);
2. Adding a Privilege :
The ACL is created now & more privileges can be added like “resolve”
dbms_network_acl_admin.add_privilege (
acl => 'utl_http.xml',
principal => 'XYZ',
is_grant => TRUE,
privilege => 'resolve',
start_date => null,
end_date => null
);
3. Assign a ACL :
Now XYZ has been assigned the connect & resolve privilege ,it needs to be
assigned which resources the user is allowed to connect .
dbms_network_acl_admin.assign_acl (
acl => 'utl_http.xml',
host => 'www.xyz.com',
lower_port => 80,
upper_port => 80
);
Commit;
End;
References :