Re: [mapserver-users] Mapserver Security

Tue, 28 Jul 2009 10:47:40 -0700 

MS_MAPFILE=/var/www/html/theDir/theFile.map
export MS_MAPFILE
QUERY_STRING="map=${MS_MAPFILE}&zoomdir=0&zoomsize=2&layer=counties&layer=states&... /var/www/cgi-bin/mapserv 



it accesses the 
mapfile in /theDir/, and /theDir is supposed to be password protected 
now by Apache.



Correct. But the browser is not calling /theDir/ as an URL. The browser 
is calling /cgi-bin/wrapper.cgi



Therefore, Apache will only apply security for /cgi-bin/ to the request. 
After the request has been approved (since cgi-bin is not protected) 
Apache pays no attention at all to what the program DOES, including 
accessing file paths.



But if I steer my browser to that directory and try to access the 
mapfile directly, I get challenged to produce a password before I can 
access any file in that directory.



Exactly right. Apache matches the URL or directory that the BROWSER 
requested, and in this case the browser was in fact trying to access 
/theDir/




So can anybody explain what I need to do to secure a Mapserver WMS site 
or can you point me to a "HOW TO" document that explains things?


Sure.


Remove MapServer from cgi-bin and place it somewhere where it will not 
be directly accessible from the web -- for example /usr/local/bin/mapserv.


Modify your wrapper.cgi to use the new path to mapserv

Then password-protect the directory which contains wrapper.cgi


The result will be that one can only access MapServer through 
wrapper.cgi, and that wrapper.cgi will be password protected. If you're 
the only one using MapServer and only to serve "protected" layers, this 
should be just what you need.




are there any  other possible security surprises that I probably don't 
know about? I'd like to get these information leaks plugged up.



As far as MapServer bugs, nope. This one isn't even an Apache bug; it's 
the way Apache works and is documented to work, just misunderstood. But 
following the above (password-protect cgi-bin and move mapserv out of 
it) will get past this surprise.


--
HostGIS, Open Source solutions for the global GIS community
Greg Allensworth - SysAdmin, Programmer, GIS Person, Security
Network+   Server+   A+   Security+
_______________________________________________
mapserver-users mailing list
mapserver-users@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapserver-users






















					Reply via email to