[mapserver-users] Mapserver Security [SEC=UNCLASSIFIED]
Bill Thoen
bthoen at gisnet.com
Thu Jul 30 11:13:08 EDT 2009
Roppola, Antti - BRS wrote:
> That's because it's not Apache reading the content in the directory.
> Apache is running the CGI and the CGI is accessing the directory
> directly. The CGI is already "behind" the access policy layer.
>
> As the CGI is usually running as the Apache user, it has the same access
> level as the Apache user (i.e. everything that any Apache process can
> see).
>
I think I've got this now, but for a newbie to CGI, this is a subtlety
that's easy to miss. I was so focused on preventing unauthorized
browser access (because I kept seeing MapServer in a browser context
only) that I completely forgot that there's plenty of other vectors into
the data to consider.
And in this case, even protecting the WMS image of the data is
important. It would be bad news if an attacker could get to the raw
data, but it would be just as bad if they got a look at maps made from
it, too. I like the idea of virtual hosts; I think I'll look more into
that.
- Bill Thoen
More information about the mapserver-users
mailing list