[mapserver-users] Mapserver Security

Andy Colson andy at squeakycode.net
Tue Jul 28 12:54:55 EDT 2009 

Bill Thoen wrote:
> I have some questions about securing a MapServer WMS. From the googlits 
> I've gathered it seems that the easy way is to use Basic Authentication 
> if you have Apache. I do have that on my Linux-based server, so I sealed 
> off the directory in which I have my mapfile and web template. And so 
> far so good. If a browser attempts to access that directory it is 
> challenged to produce a valid username/password.
> 
> However, in my CGI directory, I have a wrapper set up for this directory 
> that looks something like this:
> 
> MS_MAPFILE=/var/www/html/theDir/theFile.map
> export MS_MAPFILE
> QUERY_STRING="map=${MS_MAPFILE}&zoomdir=0&zoomsize=2&layer=counties&layer=states&... 
> 
> /var/www/cgi-bin/mapserv
> 
> It works fine, but I don't know why it works because it accesses the 
> mapfile in /theDir/, and /theDir is supposed to be password protected 
> now by Apache. To make sure that I didn't already have a valid user in 
> my browser, I shut it down and then tried again. When I ran that wrapper 
> it picked up its info from the mapfile and then happily drew the map 
> using the web template file that's also in that "protected" directory. 
> It's as if there was no security at all!
> 
> But if I steer my browser to that directory and try to access the 
> mapfile directly, I get challenged to produce a password before I can 
> access any file in that directory.
> 
> I also just discovered another issue that should have been  obvious but 
> I didn't realize the implications until now. That is, if someone just 
> tries a getCapabilities and gets a list of what's on my server, then 
> they can view those layers via calls to getMap regardless of whether my 
> map file is in a protected directory or not. But I thought they had to 
> read the map file for getCapabilities to work, and yet on my system, the 
> map files in protected directories seem to be just as friendly to 
> strangers as the mapfiles in my public directories.
> 
> So can anybody explain what I need to do to secure a Mapserver WMS site 
> or can you point me to a "HOW TO" document that explains things? Also, 
> are there any  other possible security surprises that I probably don't 
> know about? I'd like to get these information leaks plugged up.
> 
> Thanks in  advance,
> - Bill Thoen
> 
> _______________________________________________
> mapserver-users mailing list
> mapserver-users at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-users

Without reading/answering all your questions:

apache security protects apache paths, so /xyz is protected because you 
put access rights on /xyz.

you didnt put access rights on /cgi-bin, so /cgi-bin is not protected. 
A cgi program (mapserv in this case) does not know anything about apache 
security, so it can access any path it wants.  Apache also has no 
control over cgi programs, so it cannot stop mapserv from acccessiinng 
(sp?) any path it wants.

-Andy

More information about the mapserver-users mailing list