[mapserver-users] Mapserver Security

[Steve Lime]

Others may have different ideas but it seems to me you'll need to secure the wms binary 
rather than a directory. (I wouldn't store mapfiles and templates in a web accessible location
anyway.) There are probably many ways to do this. One idea might be to have separate
WMS binaries, one for password-protected stuff and another for public stuff, call 'em 
wms1 and wms2. Latest versions of MapServer allow you to set an env variable called
MS_MAPFILE_PATTERN. This is used as a regex test against the requested mapfile and can
help restrict what can be loaded. It's not fool proof but is a good start. You could set that
variable conditionally based on what binary (wms1 or wms2) is requested (see mod_setenvif).
You'd apply password protection against the wms1 in this case.

You can go further and not allow full path mapfiles at all. (see MS_MAP_NO_PATH in this
document: http://trac.osgeo.org/mapserver/wiki/EnvironmentVariables). In this case
you'd set:

  SetEnv MS_MAP_NO_PATH 1
  SetEnv WMS1_MAPFILE 'some path'
  SetEnv WMS2_MAPFILE 'some other path'

and users could only use WMS1_MAPFILE or WMS2_MAPFILE in WMS calls (or CGI calls for that 
matter). You might even be able to secure one wms binary based on the mapfile requested. That
is, any URL request with WMS1_MAPFILE requires basic authentication.

Steve

>>> On 7/28/2009 at 11:47 AM, in message <4A6F2B9F.8060405 at gisnet.com>, Bill Thoen
<bthoen at gisnet.com> wrote:
> I have some questions about securing a MapServer WMS. From the googlits 
> I've gathered it seems that the easy way is to use Basic Authentication 
> if you have Apache. I do have that on my Linux-based server, so I sealed 
> off the directory in which I have my mapfile and web template. And so 
> far so good. If a browser attempts to access that directory it is 
> challenged to produce a valid username/password.
> 
> However, in my CGI directory, I have a wrapper set up for this directory 
> that looks something like this:
> 
> MS_MAPFILE=/var/www/html/theDir/theFile.map
> export MS_MAPFILE
> QUERY_STRING="map=${MS_MAPFILE}&zoomdir=0&zoomsize=2&layer=counties&layer=states&
> ...
> /var/www/cgi-bin/mapserv
> 
> It works fine, but I don't know why it works because it accesses the 
> mapfile in /theDir/, and /theDir is supposed to be password protected 
> now by Apache. To make sure that I didn't already have a valid user in 
> my browser, I shut it down and then tried again. When I ran that wrapper 
> it picked up its info from the mapfile and then happily drew the map 
> using the web template file that's also in that "protected" directory. 
> It's as if there was no security at all!
> 
> But if I steer my browser to that directory and try to access the 
> mapfile directly, I get challenged to produce a password before I can 
> access any file in that directory.
> 
> I also just discovered another issue that should have been  obvious but 
> I didn't realize the implications until now. That is, if someone just 
> tries a getCapabilities and gets a list of what's on my server, then 
> they can view those layers via calls to getMap regardless of whether my 
> map file is in a protected directory or not. But I thought they had to 
> read the map file for getCapabilities to work, and yet on my system, the 
> map files in protected directories seem to be just as friendly to 
> strangers as the mapfiles in my public directories.
> 
> So can anybody explain what I need to do to secure a Mapserver WMS site 
> or can you point me to a "HOW TO" document that explains things? Also, 
> are there any  other possible security surprises that I probably don't 
> know about? I'd like to get these information leaks plugged up.
> 
> Thanks in  advance,
> - Bill Thoen
> 
> _______________________________________________
> mapserver-users mailing list
> mapserver-users at lists.osgeo.org 
> http://lists.osgeo.org/mailman/listinfo/mapserver-users