DBSecWorx: XS_ACL

Oracle XS_ACL_INT Built-In Package Versions 11.2 - 21c

Security Advisory

This package is part of Oracle Database Real Application Security (RAS) and is used to create, alter, drop, and manage Access Control Lists using an API that appears to be identical to that of XS_ACL. Why this package exists as it is, and the security concerns that raises, are explained in detail in the "How Oracle Works" section of this page.

Recommended Security Rules

NEVER

Grant access to this package to any user for any reason

WITH GREAT CARE

Review audit logs for package use or attempts to use this package

CAUTIONS

How Oracle Works

In the beginning of package deployment Oracle built a single package such as DBMS_SQL or UTL_FILE and put all of the code into the package, with the exception in some cases of using Library objects. Thus there are first generation package from Oracle 7 with names like DBMS_SQL and UTL_FILE that are stand-alone. Then, in Oracle 8, there were packages with corresponding library objects such as DBMS_AQ with DBMS_AQ_LIB and UTL_TCP with UTL_TCP_LIB. The current deployment architecture, especially since the introduction of the ACCESSIBLE BY clause, has been a pairing of API and internal (INT) packages such as in this case XS_ACL and XS_ACL_INT. What is unusual in the case of this pairing is that it appears that XS_ACL_INT is not protected from direct access by means of the ACCESSIBLE BY clause. We do not know why ...but it does raise security concerns.

XS_ACL_INT Package Information

AUTHID DEFINER

Dependencies

DBMS_STANDARD	XS$ACE_LIST	XS$OBJ
DBMS_SYS_ERROR	XS$ACE_PRIV	XS$POLICY_PARAM
DUAL	XS$ACE_TYPE	XS$PRIN
PLITBLM	XS$ACL	XS_ACL
USER$	XS$ACL_PARAM	XS_ADMIN_INT
X$KSPPCV	XS$INSTSET_ACL	XS_ADMIN_UTIL
X$KSPPI	XS$NAME_LIST	XS_MTCACHE_INT
XS$ACE	XS$NSTMPL

Documented No

First Available 11.2

Security Model Owned by SYS with no privileges granted

Source {ORACLE_HOME}/rdbms/admin/prvtacl.plb

Subprograms

ADD_ACL_PARAMETER	GRANT_PRIVILEGE	SET_DESCRIPTION
APPEND_ACES	REMOVE_ACES	SET_PARENT_ACL
CREATE_ACL	REMOVE_ACL_PARAMETERS	SET_SECURITY_CLASS
DELETE_ACL	REVOKE_PRIVILEGE

ADD_ACL_PARAMETER

Add a numeric parameter value

Overload 1 xs_acl_int.add_acl_parameter( acl IN VARCHAR2, policy IN VARCHAR2, parameter IN VARCHAR2, value IN NUMBER);

TBD

Add a string parameter value

Overload 2 xs_acl_int.add_acl_parameter( acl IN VARCHAR2, policy IN VARCHAR2, parameter IN VARCHAR2, value IN VARCHAR2);

exec xs_acl_int.add_acl_parameter('DBSECWORXACL','XPOLICY','GEO', 'EMEA');

APPEND_ACES

Append one ACE to the ACL

Overload 1 xs_acl_int.append_aces( acl IN VARCHAR2, ace IN xs$ace_type);

DECLARE 

       atype xs$ace_type;

      BEGIN 

       
      atype := xs$ace_type(privilege_list=>xs$name_list('"SELECT"'), 

                             granted=>TRUE,

                             principal_name=>'DBA',

                             principal_type=>xs_acl.ptype_db);

       
      xs_acl_int.append_aces('DBSECWORXACL', atype);

      END;

      /

Append ACEs to the ACL

Overload 2 xs_acl_int.append_aces( acl IN VARCHAR2, ace_list IN XS$ACE_LIST);

TBD

CREATE_ACL

Create an Access Control List xs_acl_int.create_acl( name IN VARCHAR2, ace_list IN XS$ACE_LIST, sec_class IN VARCHAR2, parent IN VARCHAR2, inherit_mode IN BINARY_INTEGER, description IN VARCHAR2);

col acl format a45

      col owner format a20

      col privilege format a20

      col security_class format a20

      

      SELECT acl, owner, privilege, security_class

      FROM dba_xs_aces

      ORDER BY 1;

      

      DECLARE

       alist xs$ace_list;

      BEGIN 

        alist := xs$ace_list(

                   xs$ace_type(privilege_list=>xs$name_list('"SELECT"','VIEW_SENSITIVE_INFO'),

                               granted=>TRUE, 

                               principal_name=>'CSR'),

                   xs$ace_type(privilege_list=>xs$name_list('UPDATE_INFO'),

                               granted=>TRUE,

                               principal_name=>'MGR'));

        xs_acl_int.create_acl('DBSECWORXACL', alist, 'SECPRIVS', description=>'Data Access');

      END;

      /

      

      SELECT acl, owner, privilege, security_class

      FROM dba_xs_aces

      WHERE acl = 'DBSECWORXACL';

      

      ACL           OWNER  PRIVILEGE            SECURITY_CLASS

      ------------- ------ -------------------- ---------------

      DBSECWORXACL  SYS    SELECT               SECPRIVS

      DBSECWORXACL  SYS    VIEW_SENSITIVE_INFO  SECPRIVS

      DBSECWORXACL  SYS    UPDATE_INFO          SECPRIVS

DELETE_ACL

Drop an Access Control list xs_acl_int.delete_acl( acl IN VARCHAR2, delete_option IN PLS_INTEGER);

exec xs_acl_int.delete_acl('DBSECWORXACL');

GRANT_PRIVILEGE

Undocumented xs_acl_int.grant_privilege( ACL IN VARCHAR2, privilege IN VARCHAR2, principal IN VARCHAR2, principal_type IN BINARY_INTEGER);

TBD

REMOVE_ACES

Not sure if this removes an ACE or an ACL. Name and parameter do not agree xs_acl_int.remove_aces(acl IN VARCHAR2);

exec xs_acl_int.remove_aces('DBSECWORXACL');

REMOVE_ACL_PARAMETERS

Remove all parameters
Overload 1 xs_acl_int.remove_acl_parameters(acl IN VARCHAR2);

exec xs_acl_int.remove_acl_parameters('DBSECWORXACL');

Remove a single parameter
Overload 2 xs_acl_int.remove_acl_parameters( acl IN VARCHAR2, parameter IN VARCHAR2);

exec xs_acl_int.remove_acl_parameters('DBSECWORXACL', 'GEO');

Remove a policy associated parameter

Overload 3 xs_acl_int.remove_acl_parameters( acl IN VARCHAR2, policy IN VARCHAR2, parameter IN VARCHAR2);

exec xs_acl_int.remove_acl_parameters('DBSECWORXACL', 'XPOLICY', 'GEO');

REVOKE_PRIVILEGE

Undocumented xs_acl_int.revoke_privilege( ACL IN VARCHAR2, privilege IN VARCHAR2, principal IN VARCHAR2, principal_type IN BINARY_INTEGER);

TBD

SET_DESCRIPTION

Sets or updates the description of an ACL in the data dictionary xs_acl_int.set_description( acl IN VARCHAR2, description IN VARCHAR2);

exec xs_acl_int.set_description('DBSECWORXACL', 'DBSecWorx Secure ACL');

SET_PARENT_ACL

Sets the parent ACL xs_acl_int.set_parent_acl( acl IN VARCHAR2, parent IN VARCHAR2, inherit_mode IN PLS_INTEGER);

exec xs_acl_int.set_parent_acl('DSECWORX','SYSTEMACL', xs_acl_int.extended);

SET_SECURITY_CLASS

Sets the security class xs_acl_int.set_security_class( acl IN VARCHAR2, sec_class IN VARCHAR2);

col acl format a45

      col owner format a20

      col privilege format a20

      col security_class format a20

      

      SELECT acl, owner, privilege, security_class

      FROM dba_xs_aces

      WHERE acl = 'DBSECWORXACL';

      

      ACL           OWNER  PRIVILEGE            SECURITY_CLASS

      ------------- ------ -------------------- ---------------

      DBSECWORXACL  SYS    SELECT               SECPRIVS

      DBSECWORXACL  SYS    VIEW_SENSITIVE_INFO  SECPRIVS

      DBSECWORXACL  SYS    UPDATE_INFO          SECPRIVS

      

      exec xs_acl_int.set_security_class('DBSECWORXACL', 'SYSTEM');

      

      SELECT acl, owner, privilege, security_class

      FROM dba_xs_aces

      WHERE acl = 'DBSECWORXACL';

      

      ACL           OWNER  PRIVILEGE            SECURITY_CLASS

      ------------- ------ -------------------- ---------------

      DBSECWORXACL  SYS    SELECT               SYSTEM

      DBSECWORXACL  SYS    VIEW_SENSITIVE_INFO  SYSTEM

      DBSECWORXACL  SYS    UPDATE_INFO          SYSTEM