[mapserver-users] Mapserver Security

Gregor at HostGIS gregor at hostgis.com
Tue Jul 28 13:47:21 EDT 2009 

> MS_MAPFILE=/var/www/html/theDir/theFile.map
> export MS_MAPFILE
> QUERY_STRING="map=${MS_MAPFILE}&zoomdir=0&zoomsize=2&layer=counties&layer=states&... 
> /var/www/cgi-bin/mapserv


> it accesses the 
> mapfile in /theDir/, and /theDir is supposed to be password protected 
> now by Apache.

Correct. But the browser is not calling /theDir/ as an URL. The browser 
is calling /cgi-bin/wrapper.cgi

Therefore, Apache will only apply security for /cgi-bin/ to the request. 
After the request has been approved (since cgi-bin is not protected) 
Apache pays no attention at all to what the program DOES, including 
accessing file paths.

> But if I steer my browser to that directory and try to access the 
> mapfile directly, I get challenged to produce a password before I can 
> access any file in that directory.

Exactly right. Apache matches the URL or directory that the BROWSER 
requested, and in this case the browser was in fact trying to access 
/theDir/


> So can anybody explain what I need to do to secure a Mapserver WMS site 
> or can you point me to a "HOW TO" document that explains things?

Sure.

Remove MapServer from cgi-bin and place it somewhere where it will not 
be directly accessible from the web -- for example /usr/local/bin/mapserv.

Modify your wrapper.cgi to use the new path to mapserv

Then password-protect the directory which contains wrapper.cgi

The result will be that one can only access MapServer through 
wrapper.cgi, and that wrapper.cgi will be password protected. If you're 
the only one using MapServer and only to serve "protected" layers, this 
should be just what you need.


> are there any  other possible security surprises that I probably don't 
> know about? I'd like to get these information leaks plugged up.

As far as MapServer bugs, nope. This one isn't even an Apache bug; it's 
the way Apache works and is documented to work, just misunderstood. But 
following the above (password-protect cgi-bin and move mapserv out of 
it) will get past this surprise.

-- 
HostGIS, Open Source solutions for the global GIS community
Greg Allensworth - SysAdmin, Programmer, GIS Person, Security
Network+   Server+   A+   Security+

More information about the mapserver-users mailing list