[mapserver-users] Mapserver Security

Bill Thoen bthoen at gisnet.com
Tue Jul 28 12:47:27 EDT 2009 

I have some questions about securing a MapServer WMS. From the googlits 
I've gathered it seems that the easy way is to use Basic Authentication 
if you have Apache. I do have that on my Linux-based server, so I sealed 
off the directory in which I have my mapfile and web template. And so 
far so good. If a browser attempts to access that directory it is 
challenged to produce a valid username/password.

However, in my CGI directory, I have a wrapper set up for this directory 
that looks something like this:

MS_MAPFILE=/var/www/html/theDir/theFile.map
export MS_MAPFILE
QUERY_STRING="map=${MS_MAPFILE}&zoomdir=0&zoomsize=2&layer=counties&layer=states&...
/var/www/cgi-bin/mapserv

It works fine, but I don't know why it works because it accesses the 
mapfile in /theDir/, and /theDir is supposed to be password protected 
now by Apache. To make sure that I didn't already have a valid user in 
my browser, I shut it down and then tried again. When I ran that wrapper 
it picked up its info from the mapfile and then happily drew the map 
using the web template file that's also in that "protected" directory. 
It's as if there was no security at all!

But if I steer my browser to that directory and try to access the 
mapfile directly, I get challenged to produce a password before I can 
access any file in that directory.

I also just discovered another issue that should have been  obvious but 
I didn't realize the implications until now. That is, if someone just 
tries a getCapabilities and gets a list of what's on my server, then 
they can view those layers via calls to getMap regardless of whether my 
map file is in a protected directory or not. But I thought they had to 
read the map file for getCapabilities to work, and yet on my system, the 
map files in protected directories seem to be just as friendly to 
strangers as the mapfiles in my public directories.

So can anybody explain what I need to do to secure a Mapserver WMS site 
or can you point me to a "HOW TO" document that explains things? Also, 
are there any  other possible security surprises that I probably don't 
know about? I'd like to get these information leaks plugged up.

Thanks in  advance,
- Bill Thoen

More information about the mapserver-users mailing list