| Security Advisory |
This package is part of Oracle Database Real Application Security (RAS) and is used to grant and revoke privileges and with that in mind, Oracle decided to grant EXECUTE on this package to PUBLIC.
Really, If that makes sense to you please consider taking up a different line of work.
The documentation says that "The SYS privilege is required to grant or revoke a Real Application Security system privilege to or from a user or role." which is not true by definition as there is no "SYS" privilege in Oracle.
Look at the How Oracle Works section to see the details of how we proved this statement was not true beyond the obvious. |
| |
| Recommended Security Rules |
NEVER
- Let any user or schema without documented justification or escalated privileges gain access to this package by revoking EXECUTE from PUBLIC
WITH GREAT CARE
- Identify legitimate requirements for access to this package and grant EXECUTE explicitly to only justified schemas
- Query the data dictionary after EXECUTE has been revoked from PUBLIC to verify the equivalence created is the equivalence approved by IT management and your CISO
CAUTIONS
- Some dependencies may exist in the form of dynamic SQL so carefully verify usage requirements in source code as well as in DBA_DEPENDENCIES
|
| |
| How Oracle Works |
Oracle has released an option named Real Application Security (RAS) that contains a lot of moving pieces of which this is one of them.
We are currently working on a single comprehensive monograph to explain RAS from the standpoint of what it offers, the pieces required to make it work, and any risks associated either with its use or how Oracle has implemented it.
One of our biggest concerns is the lack of good documentation, especially around the constants to help implementers understand which options to choose in which situations. This package alone contains 40 constants not one of which is explained in the docs.
Another is the number of pieces of a puzzle, security related, that are granted to PUBLIC.
We cannot think of a single reason why any piece of a security infrastructure should have control granted to PUBLIC so we are, at the moment, highly skeptical that it can be effectively employed by the typical Oracle customer. |
Proving the docs are wrong and exposing a security issue.
First, DBA is a role containing 235 separate system privileges so we still do not know precisely what system privilege(s) are required to grant execute.
Second, note that SCOTT can not only grant to others ... SCOTT can grant to SCOTT. This is dangerous territory.
|
conn sys@pdbdev as sysdba
Enter password:
Connected.
GRANT dba TO scott;
Grant succeeded.
conn scott/tiger@pdbdev
Connected.
-- the following proves the Oracle RAS documentation is incorrect
-- and that it is likely an undocumented system privilege is required
exec xs_admin_util.grant_system_privilege('ADMINISTER_SESSION', 'UWCLASS');
PL/SQL procedure successfully completed.
-- the following proves that the package can be used to grant to self
exec xs_admin_util.grant_system_privilege('ADMINISTER_SESSION', 'SCOTT');
PL/SQL procedure successfully completed.
-- but worse than a self-grant ... the following is
fatally flawed by definition
exec xs_admin_util.grant_system_privilege('ADMINISTER_SESSION', 'PUBLIC');
PL/SQL procedure successfully completed.
exec xs_admin_util.grant_system_privilege('ADMIN_ANY_NAMESPACE', 'PUBLIC');
PL/SQL procedure successfully completed.
exec xs_admin_util.grant_system_privilege('ADMIN_ANY_SEC_POLICY', 'PUBLIC');
PL/SQL procedure successfully completed.
exec xs_admin_util.grant_system_privilege('ADMIN_SEC_POLICY', 'PUBLIC');
PL/SQL procedure successfully completed.
exec xs_admin_util.grant_system_privilege('APPLY_SEC_POLICY', 'PUBLIC');
PL/SQL procedure successfully completed.
exec xs_admin_util.grant_system_privilege('ASSIGN_USER', 'PUBLIC');
PL/SQL procedure successfully completed.
exec xs_admin_util.grant_system_privilege('ATTACH_SESSION', 'PUBLIC');
PL/SQL procedure successfully completed.
exec xs_admin_util.grant_system_privilege('CALLBACK', 'PUBLIC');
PL/SQL procedure successfully completed.
exec xs_admin_util.grant_system_privilege('CREATE_SESSION', 'PUBLIC');
PL/SQL procedure successfully completed.
exec xs_admin_util.grant_system_privilege('CREATE_TRUSTED_SESSION', 'PUBLIC');
PL/SQL procedure successfully completed.
exec xs_admin_util.grant_system_privilege('MODIFY_SESSION', 'PUBLIC');
PL/SQL procedure successfully completed.
exec xs_admin_util.grant_system_privilege('PROVISION', 'PUBLIC');
PL/SQL procedure successfully completed.
exec xs_admin_util.grant_system_privilege('SET_DYNAMIC_ROLES', 'PUBLIC');
PL/SQL procedure successfully completed.
exec xs_admin_util.grant_system_privilege('TERMINATE_SESSION', 'PUBLIC');
PL/SQL procedure successfully completed.
-- we didn't really have to list every one of these like we did but we are hoping
-- someone at Oracle is paying attention and realizes this needs to be fixed ASAP. |
| |
| XS_ADMIN_UTIL Package Information |
| AUTHID |
CURRENT_USER |
| Constants |
| Name |
Data Type |
Value |
| COMMON_WORKSPACE |
VARCHAR2(6) |
'XS' |
SCHEMA_ACL  |
VARCHAR2(13) |
'XS$SCHEMA_ACL' |
| XSCONNECT |
VARCHAR2(9) |
'XSCONNECT' |
| STRING_MAXLEN |
PLS_INTEGER |
4000 |
| NON_EMPTY_STRING_MINLEN |
PLS_INTEGER |
1 |
| STRING_MINLEN |
PLS_INTEGER |
0 |
| XSNAME_MINLEN |
PLS_INTEGER |
1 |
| XSNAME_MAXLEN |
PLS_INTEGER |
130 |
| PARAMNAME_MINLEN |
PLS_INTEGER |
1 |
| PARAMNAME_MAXLEN |
PLS_INTEGER |
128 |
| XSQNAME_MINLEN |
PLS_INTEGER |
1 |
| XSQNAME_MAXLEN |
PLS_INTEGER |
261 |
| EXTERNAL_NAME_MINLEN |
PLS_INTEGER |
1 |
| EXTERNAL_NAME_MAXLEN |
PLS_INTEGER |
130 |
| WORKSPACE_MINLEN |
PLS_INTEGER |
1 |
| WORKSPACE_MAXLEN |
PLS_INTEGER |
128 |
| DBNAME_MINLEN |
PLS_INTEGER |
1 |
| DBNAME_MAXLEN |
PLS_INTEGER |
130 |
| OBJTYPE_PRINCIPAL |
PLS_INTEGER |
1 |
| OBJTYPE_SECURITY_CLASS |
PLS_INTEGER |
2 |
| OBJTYPE_ACL |
PLS_INTEGER |
3 |
| OBJTYPE_PRIVILEGE |
PLS_INTEGER |
4 |
| OBJTYPE_DATA_SECURITY |
PLS_INTEGER |
5 |
| OBJTYPE_ROLESET |
PLS_INTEGER |
6 |
| OBJTYPE_NSTEMPL |
PLS_INTEGER |
7 |
| OBJTYPE_SYSOP |
PLS_INTEGER |
101 |
| OBJTYPE_ADMOP |
PLS_INTEGER |
102 |
| OBJTYPE_APPLY_POLICY |
PLS_INTEGER |
103 |
| OBJTYPE_GRANTOP |
PLS_INTEGER |
104 |
| OBJTYPE_REVOKEOP |
PLS_INTEGER |
105 |
| OBJTYPE_SET_POLICY |
PLS_INTEGER |
106 |
| Delete Options |
| DEFAULT_OPTION |
PLS_INTEGER |
1 |
| CASCADE_OPTION |
PLS_INTEGER |
2 |
| ALLOW_INCONSISTENCIES_OPTION |
PLS_INTEGER |
3 |
| Specify if an object exists in the base table or not |
| STATUS_NOT_EXISTS |
PLS_INTEGER |
0 |
| STATUS_EXISTS |
PLS_INTEGER |
1 |
| Principal Type Definition |
| PTYPE_XS |
PLS_INTEGER |
1 |
| PTYPE_DB |
PLS_INTEGER |
2 |
| PTYPE_DN |
PLS_INTEGER |
3 |
| PTYPE_EXTERNAL |
PLS_INTEGER |
4 |
|
| Data Types |
CREATE OR REPLACE TYPE xs$list IS VARRAY(1000) OF VARCHAR2(4000);
CREATE OR REPLACE TYPE xd$name_list IS VARRAY(1000) OF VARCHAR2(261); |
| Dependencies |
| DBMS_NETWORK_ACL_ADMIN |
XS$OBJ |
XS_DATA_SECURITY_UTIL_INT |
| DBMS_RXS_LIB |
XS$PRIVILEGE |
XS_DIAG |
| DBMS_SFW_ACL_ADMIN |
XS$REALM_CONSTRAINT_TYPE |
XS_DIAG_INT |
| DBMS_STANDARD |
XS$ROLE_GRANT_TYPE |
XS_NAMESPACE |
| DBMS_WRR_PROTECTED |
XS_ACL |
XS_NAMESPACE_INT |
| DBMS_XDS_INT |
XS_ACL_INT |
XS_PRINCIPAL |
| DBMS_XSS_LIB |
XS_ADMIN_INT |
XS_PRINCIPAL_INT |
| XS$ACE_TYPE |
XS_ADMIN_UTIL_INT |
XS_ROLESET |
| XS$COLUMN_CONSTRAINT_TYPE |
XS_DATA_SECURITY |
XS_ROLESET_INT |
| XS$KEY_TYPE |
XS_DATA_SECURITY_INT |
XS_SECURITY_CLASS |
| XS$NS_ATTRIBUTE |
XS_DATA_SECURITY_UTIL |
XS_SECURITY_CLASS_INT |
|
| Documented |
Yes: In both the Packages and Types and in the Real Application Security Administrator's & Developer's Guide docs
Of the 13 objects in this package only GRANT_SYSTEM_PRIVILEGE and REVOKE_SYSTEM_PRIVILEGE are documented. |
| Exceptions |
| Error Code |
Reason |
| 1031 |
ERR_INSUFFICIENT_PRIV |
| 28222 |
ERR_RESERVED_USER |
| 46025 |
ERR_NO_STATIC_RULE |
| 46055 |
ERR_ROLE_NOT_GRANTED |
| 46076 |
ERR_INVALID_LENGTH |
| 46083 |
ERR_SET_PRIN_GUID |
| 46084 |
ERR_DROP_SEEDED_OBJ |
| 46085 |
ERR_NO_PROXY_ROLES |
| 46096 |
ERR_DEFV_FREVNT_COEXIST |
| 46097 |
ERR_NO_ROLESET_ROLE
ERR_NO_GRANTEDROLE_PRIN
ERR_NO_SC_PARENTSC |
| 46098 |
ERR_DUP_PARENT
ERR_DUP_LEAF
ERR_DUP_PRIMARY_KEY
ERR_DUP_ATTR_PRIV_PAIR
ERR_DUP_PROXY
ERR_DUP_ACL_PARAM
ERR_DUP_ROLESET_ROLE
ERR_DUP_POLICY_PARAM
ERR_DUP_NS_ATTR |
| 46099 |
ERR_FEATURE_NOT_SUPPORTED |
| 46101 |
ERR_AGGR_CYCLE CONSTANT NUMBER |
| 46103 |
ERR_SECCLS_CYCLE |
| 46116 |
ERR_ACL_REFERREDBY_NSTEMPLATE |
| 46117 |
ERR_ACL_REFERREDBY_PRINCIPLAL |
| 46118 |
ERR_ACL_SCHEMA_NOT_SYS |
| 46119 |
ERR_ACL_IS_NULL |
| 46152 |
ERR_INVALID_VALUE |
| 46202 |
ERR_NO_HANDLER_FUNC |
| 46211 |
ERR_INVALID_ENTITY_LENGTH |
| 46212 |
ERR_DUP_NAME |
| 46214 |
ERR_OBJ_REFERRED |
| 46215 |
ERR_INVALID_OBJECT
ERR_NO_OBJ_FOUND |
| 46230 |
ERR_INTERNAL |
| 46231 |
ERR_GRANT_ROLE |
| 46232 |
ERR_ROLE_GRANT_CYCLE |
| 46233 |
ERR_PARENT_ACL_CYCLE |
| 46235 |
ERR_NO_POLICY_PARAMETER |
| 46236 |
ERR_INVALID_POLICY_TYPE |
| 46237 |
ERR_MIDTIER_CACHE |
| 46238 |
ERR_NO_DB_USER_ROLE |
| 46240 |
ERR_PROXY_SCHEMA_EXIST |
| 46241 |
ERR_PROXY_SCHEMA_NOT_EXIST |
| 46242 |
ERR_GRANT_ROLE_XSGUEST |
|
| First Available |
12.1 |
| Security Model |
Owned by SYS with EXECUTE granted to PUBLIC |
| Source |
{ORACLE_HOME}/rdbms/admin/xsutil.sql |
| Subprograms |
|
| |
| CHECK_LENGTH |
| Returns an exception if the test string's length is not between the min and max boundaries |
xs_admin_util.check_length(
str IN VARCHAR2,
min_length IN PLS_INTEGER,
max_length IN PLS_INTEGER); |
SQL> exec xs_admin_util.check_length('TEST', 1, 10);
PL/SQL procedure successfully completed.
SQL> exec xs_admin_util.check_length('TEST', 7, 10);
BEGIN xs_admin_util.check_length('TEST', 7, 10); END;
*
ERROR at line 1:
ORA-46076: The specified name length not within valid range.
ORA-06512: at "SYS.XS_ADMIN_UTIL", line 70
ORA-06512: at "SYS.XS_ADMIN_UTIL", line 54
ORA-06512: at line 1 |
| |
| CHECK_SEEDED |
| Check whether the object is seeded or not, internal use |
xs_admin_util.check_seeded(obj_id IN NUMBER); |
-- appears to do precisely nothing
exec xs_admin_util.check_seeded(18);
exec xs_admin_util.check_seeded(89999);
exec xs_admin_util.check_seeded(-1); |
| |
| DROP_SCHEMA_OBJECTS |
| Drop schema objects under a schema |
xs_admin_util.drop_schema_objects(schema_name IN VARCHAR2);
PRAGMA SUPPLEMENTAL_LOG_DATA(drop_schema_objects, MANUAL); |
-- appears to do precisely nothing
CREATE USER c##zzyzx;
CREATE TABLE c##zzyzx.test(
testcol date);
exec xs_admin_util.drop_schema_objects('C##ZZYZX');
SELECT username
FROM dba_users
WHERE username LIKE 'C##%';
USERNAME
---------
C##OE
C##SH
C##ZZYZX |
| |
| GET_DEFAULT_WORKSPACE |
| Returns the name of the default RAS workspace |
xs_admin_util.get_default_workspace RETURN VARCHAR2; |
SELECT xs_admin_util.get_default_workspace
FROM dual; |
| |
| GET_OBJECT_ID |
| Called by ADMIN APIs for internal use only returns the object ID |
xs_admin_util.get_object_id(
obj_name IN VARCHAR2,
obj_type IN PLS_INTEGER,
workspace IN VARCHAR2,
status_flag IN PLS_INTEGER := NULL)
RETURN NUMBER; |
| TBD |
| |
| GRANT_SYSTEM_PRIVILEGE |
| Grant system privilege to a user/role |
xs_admin_util.grant_system_privilege(
priv_name IN VARCHAR2,
user_name IN VARCHAR2,
user_type IN PLS_INTEGER := xs_admin_util.ptype_db,
schema IN VARCHAR2 := NULL);
PRAGMA SUPPLEMENTAL_LOG_DATA(grant_system_privilege, AUTO); |
conn sys@pdbdev as sysdba
exec xs_admin_util.grant_system_privilege('ADMINISTER_SESSION', 'UWCLASS'); |
| |
| RAISE_ERROR |
| Raises a RAS application error |
xs_admin_util.raise_error(
error_number IN PLS_INTEGER,
error_str1 IN VARCHAR2 DEFAULT NULL,
error_str2 IN VARCHAR2 DEFAULT NULL,
keep_stack IN BOOLEAN DEFAULT TRUE); |
exec xs_admin_util.raise_error(-600, 'Just What We Need');
BEGIN xs_admin_util.raise_error(-600, 'Just What We Need'); END;
*
ERROR at line 1:
ORA-46095: Invalid error code supplied
ORA-06512: at "SYS.XS_ADMIN_UTIL", line 70
ORA-06512: at line 1
SQL> exec xs_admin_util.raise_error(46084, 'Just What We Need');
BEGIN xs_admin_util.raise_error(46084, 'Just What We Need'); END;
*
ERROR at line 1:
ORA-46084: cannot update or delete system-seeded XS objects.
ORA-06512: at "SYS.XS_ADMIN_UTIL", line 70
ORA-06512: at line 1 |
| |
| REMOVE_DBUSER_ACES |
| Revoke system privilege from a user/role with RAS privs |
xs_admin_util.remove_dbuser_aces(user_name IN VARCHAR2); |
exec xs_admin_util.remove_dbuser_aces('UWCLASS'); |
| |
| REVOKE_SYSTEM_PRIVILEGE |
Revoke System privilege from a user/role
See the Related Queries at the bottom of this page for a list of relevant
XS system privileges |
xs_admin_util.revoke_system_privilege(
priv_name IN VARCHAR2,
user_name IN VARCHAR2,
user_type IN PLS_INTEGER := xs_admin_util.ptype_db,
schema IN VARCHAR2 := NULL);
PRAGMA SUPPLEMENTAL_LOG_DATA(revoke_system_privilege, AUTO); |
conn sys@pdbdev as sysdba
exec xs_admin_util.revoke_system_privilege('ADMINISTER_SESSION', 'UWCLASS');
exec xs_admin_util.revoke_system_privilege('TERMINATE_SESSION',
'PUBLIC'); |
| |
| SET_DEFAULT_WORKSPACE |
| Sets the default workspace name |
xs_admin_util.set_default_workspace(workspace IN VARCHAR2); |
exec xs_admin_util.set_default_workspace('XS'); |
| |
| VALIDATE_DB_OBJECT_NAME |
| Validate DB object name. Internal use only. |
xs_admin_util.validate_db_object_name(
input_name IN VARCHAR2,
object_name OUT VARCHAR2,
error_msg IN VARCHAR2 DEFAULT NULL); |
DECLARE
outVal VARCHAR2(30);
BEGIN
xs_admin_util.validate_db_object_name('N0n Sense', outVal, 'ReadTheDocs');
dbms_output.put_line(outVal);
END;
/
DECLARE
*
ERROR at line 1:
ORA-28104: input value for ReadTheDocs is not valid
ORA-06512: at "SYS.XS_ADMIN_UTIL", line 163
ORA-06512: at line 4
DECLARE
outVal VARCHAR2(30);
BEGIN
xs_admin_util.validate_db_object_name('N0nSense', outVal);
dbms_output.put_line(outVal);
END;
/
N0NSENSE |
| |
| VALIDATE_DB_USER |
| Validate DB user/schema. Internal use |
xs_admin_util.validate_db_user(
input_name IN VARCHAR2,
error_msg IN VARCHAR2 DEFAULT NULL); |
exec xs_admin_util.validate_db_user('N0nSense', 'Bad Choice')
BEGIN xs_admin_util.validate_db_user('N0nSense', 'Bad Choice'); END;
*
ERROR at line 1:
ORA-28104: input value for Bad Choice is not valid
ORA-06512: at "SYS.XS_ADMIN_UTIL", line 185
ORA-06512: at line 1 |
| |
| XSNAME_TO_ID |
| Utility Function: XS name to ID |
xs_admin_util.xsname_to_id(
obj_name IN VARCHAR2,
obj_type IN PLS_INTEGER)
RETURN NUMBER; |
SELECT owner, name
FROM dba_xs_objects
WHERE rownum = 1;
OWNER NAME
------ -------------------
SYS ADMINISTER_SESSION
SELECT xs_admin_util.xsname_to_id('ADMINISTER_SESSION', 1)
FROM dual; |
| |
| Related Queries |
| List of XS System Privileges |
SQL> SELECT name
2 FROM xs$obj
3 WHERE type = 4
4 ORDER BY 1;
NAME
----------------------
ADMINISTER_SESSION
ADMIN_ANY_NAMESPACE
ADMIN_ANY_SEC_POLICY
ADMIN_NAMESPACE
ADMIN_SEC_POLICY
ALL
APPLY_SEC_POLICY
ASSIGN_USER
ATTACH_SESSION
CALLBACK
CONNECT
CREATE_SESSION
CREATE_TRUSTED_SESSION
DELETE
HTTP
HTTP_PROXY
INSERT
JDWP
MODIFY_ATTRIBUTE
MODIFY_NAMESPACE
MODIFY_SESSION
PDBPROD
PROVISION
RESOLVE
SELECT
SET_DYNAMIC_ROLES
SMTP
TERMINATE_SESSION
UPDATE
UPDATE_INFO
USE_CLIENT_CERTIFICATES
USE_PASSWORDS
VIEW_SENSITIVE_INFO |