Re: Network ACL or not

From: Seth Miller <sethmiller.sm_at_gmail.com>
Date: Thu, 10 Jul 2014 13:27:29 -0500
Message-ID: <CAEueRAUTB=m9e0Sex3HSXSZnX5MjB7K9h3So0ekc+kx_4=xm5A_at_mail.gmail.com>

*"You have to grant access to the specific procedures that access the network in any case (eg, utl_mail), so adding the additional level of required privilege is simply annoying."*

Not according to the documentation.

*"This feature enhances security for network connections because it restricts the external network hosts that a database user can connect to using the PL/SQL network utility
packages UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP, and UTL_INADDR, the DBMS_LDAP PL/SQL package, and the HttpUriType type. Otherwise, an intruder who gained access to the database could maliciously attack the network, because, by default, the PL/SQL utility packages are created with the EXECUTE privilege granted to PUBLIC users."*

Seth

On Wed, Jul 9, 2014 at 8:45 AM, Andrew Kerber <andrew.kerber_at_gmail.com> wrote:

> Shameless plug, some time ago I wrote a trigger to add users to the
> network acl when they were granted execute to utl_mail. Link below, some
> may find it useful:
>
> http://dbakerber.wordpress.com/2013/06/28/update-to-utl_mail-trigger/
>
>
> On Wed, Jul 9, 2014 at 2:20 AM, Tim Hall <tim_at_oracle-base.com> wrote:
>
>> I think it's actually a neat feature.
>>
>> - As Don Seiler says, it gives you an element of control over what the
>> database is connecting to. It is good to know and understand the interfaces
>> that are being used.
>>
>> - When the developers ask for something to be opened, it gives you the
>> opportunity to discuss their approach to make sure it makes sense. On
>> numerous occasions, once I probed a little, I've found they are using a
>> totally inappropriate solution. If they had not had to initiate the
>> contact, we would have implemented sh*t. :)
>>
>> I never do a blanket open all ACL (exception on my play VMs).
>>
>> Cheers
>>
>> Tim...
>>
>
>
>
> --
> Andrew W. Kerber
>
> 'If at first you dont succeed, dont take up skydiving.'
>

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Jul 10 2014 - 20:27:29 CEST

This message: [ Message body ]
Next message: Juan Carlos Reyes Pacheco: "Woraround A: for performance problem on view joining several tables"
Previous message: Sweetser, Joe: "RE: OT: Linux df question"
In reply to: Andrew Kerber: "Re: Network ACL or not"
Next in thread: Yong Huang: "Re: Network ACL or not"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message