[UNCLASSIFIED]RE: [UMN_MAPSERVER-USERS] Security issue

Antti Roppola Antti.Roppola at BRS.GOV.AU
Tue Mar 7 23:27:37 EST 2006 

Hi James,
 
Some options:
 
Make sure the embedded accounts only have select against the tables that they
need. Create a client account with the minumum prvileges required to function.
 
Configure your webserver to not allow users to access map files, for Apache
you could either set up a server wide directive to disallow "\.map$", or put all
your map files in a directory outside the webroot or one that uses .htaccess
to deny HTTP access (Mapserver will read them via the filesystem).
 
Use Mapscript to dynamically create connection values from elsewhere at call time.
 
Depending on your environment, it's not a whole lot different to how a lot of server side
scripting environments already handle database connectivity:
    http://mavweb.net/asp-samples/database-connection-strings.asp <http://mavweb.net/asp-samples/database-connection-strings.asp> 
(no-one has wobblies about .asp or .cfm pages containing connect strings)
 
Also, if your DB is configured to only allow local connections, by the stage someone
can actually use the purloined details they probably own your host system anyway.
 
Regards,
 
Antti
 

   _____  

From: UMN MapServer Users List [mailto:MAPSERVER-USERS at LISTS.UMN.EDU] On Behalf Of Léveillé, James
Sent: Wednesday, 8 March 2006 7:26 AM
To: MAPSERVER-USERS at LISTS.UMN.EDU
Subject: [UMN_MAPSERVER-USERS] Security issue


Hi all,
 
I've been using MapServer for a few weeks (on a "development" server).
I now have to set it up on a "production" server.
 
My problem is the CONNECTION tag in the MapFile (Oracle).
Guys from the IT really don't like to see the connection string in the flat file ...
 
What are the different solutions I have ?
Can the user/pw at instance <mailto:user/pw at instance>  string be encrypted on the server side ?
 
Regards
 
__________________________________________
James Léveillé
 
Intélec Géomatique
420, boul. Charest Est
Bureau 400
Québec (QC), Canada
G1K 8M4
 

---------------------------------------------------------------------- 
IMPORTANT - This message has been issued by The Department of Agriculture, Fisheries and Forestry (DAFF).  The information transmitted is for the use of the intended recipient only and may contain confidential and/or legally privileged material.  It is your responsibility to check any attachments for viruses and defects before opening or sending them on.  
Any reproduction, publication, communication, re-transmission, disclosure, dissemination or other use of the information contained in this e-mail by persons or entities other than the intended recipient is prohibited.  The taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited.  If you have received this e-mail in error please notify the sender and delete all copies of this transmission together with any attachments.  If you have received this e-mail as part of a valid mailing list and no longer want to receive a message such as this one advise the sender by return e-mail accordingly.  Only e-mail correspondence which includes this footer, has been authorised by DAFF 
----------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.osgeo.org/pipermail/mapserver-users/attachments/20060308/e10daaa5/attachment.html

More information about the mapserver-users mailing list