Additionally, tighten up your PgSQL connection rules, make sure only
your mapserver box can connect to the postgresql instance.
And make sure you don't have a DATAPATTERN set, so that people can't
override your data statement remotely and play SQL injection games.
P
On 22-Dec-06, at 3:47 PM, Bill Thoen wrote:
I've just recently got MapServer going with data from a PostGIS
connection
and I'd like to know what the "best practices" are in terms of
security.
The problem I see is that you have to put a PostGIS username and
password
in your mapfile on the CONNECTION line, which is easily viewed by
anyone.
So what I've done is moved my mapfile out of the html directory
tree and
am also using a user with read-only privs to the tables I want to
display
and access to nothing else. But what do people who know what
they're doing
do to ensure that there are no security holes?
TIA,
- Bill Thoen
