ORA-31001: Invalid resource handle or path name “/sys/acls/myacl.xml”

So this happens when you try to add a privilege to an ACL that does not exist:

SQL> EXEC DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE ('myacl.xml', 'SIMON', true, 'connect');
BEGIN DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE ('myacl.xml', 'SIMON', true, 'connect'); END;

ERROR at line 1: ORA-31001: Invalid resource handle or path name "/sys/acls/myacl.xml" ORA-06512: at "SYS.DBMS_NETWORK_ACL_ADMIN", line 384 ORA-06512: at line 1

Oracle Database 11g introduced fine-grained access control to external network services using Access Control Lists (ACLs). This basically allows you to take control over which users access which network resources, regardless of package grants.

In the Oracle Database Security Guide, Oracle notes:

This feature enhances security for network connections because it restricts the external network hosts that a database user can connect to using the PL/SQL network utility packages such as UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP, and UTL_INADDR. Otherwise, an intruder who gained access to the database could maliciously attack the network, because, by default, the PL/SQL utility packages are created with the EXECUTE privilege granted to PUBLIC users.

So how to fix ORA-31001?

So why did you get an ORA-31001 error? The reason for this error is that the ACL you try to modify does not yet exist. To create such an ACL, use the DBMS_NETWORK_ACL_ADMIN package and call the CREATE_ACL procedure:

BEGIN
  DBMS_NETWORK_ACL_ADMIN.CREATE_ACL (
    acl => 'myacl.xml',
    description => 'Network Access Control for SIMON',
    principal => 'SIMON',
    is_grant => TRUE,
    privilege => 'connect');
END;
/

You can then check what ACLs you have already defined for your database using the following query:

SELECT any_path FROM resource_view WHERE any_path like '/sys/acls/%.xml';

Since security is often a complicated matter, please make sure to read through the Oracle documentation before making any changes. You don’t want to have someone messing around with your database just because you mistakenly assigned a privilege to an unsecured schema owwner!

Hello world

My name is Simon Krenger, I am a Technical Account Manager (TAM) at Red Hat. I advise our customers in using Kubernetes, Containers, Linux and Open Source.

Elsewhere

  1. GitHub
  2. LinkedIn
  3. GitLab