Antw: Re: [Mapbender-users] Secure a WMS

Hr. Johannes Loose loose at lwf.uni-muenchen.de
Wed Dec 3 08:23:44 EST 2008


Hello Ronald,

Thanks again for your answer. The first part is correct, as long as the webserver uses the 
same user / group for all sites. However, there is a possibility to tell the webserver to use a 
distinct user for one site (suexec). It's possible too, to lock the password and not to give a 
shell to that user, to avoid a real person to use that functional account:

#passwd -l myuser       # lock password
#chsh -s /bin/false myuser # lock the shell

That way one can assure that the mapfile itself can not be accessed from the outside, but 
from the mapserver cgi only. In addition the mapfile can be located outside of the 
documentroot of the webserver. 

For additional security one can use an encryption algorithm to avoid saving clear-text 
passwords in the mapfile (http://mapserver.gis.umn.edu/development/rfc/ms-rfc-18).

By the way, I have enhanced the site: 
http://www.mapbender.org/Kapseln_der_MapServer_Konfigurationsparameter
by a script I got from the mapserver community. Thanks to them!

Nevertheless the wrapper still can be called directly (entering the URL in the browser if 
known). For me its not satisfying to say 'No one knows the location of my wrapper, so my 
service is secure'. - The fact is: It's still open to the world.

I agree with you what concerns the functionality of the owsproxy. To give only localhost 
access using the webserver configuration could be the solution, because the owsproxy is 
running on the local machine. My quick tests were not succesfull so long, I always had to give 
access to the remote machine (client that calls mapbender) to make the service work. I'll 
keep on trying to make it work that way.

If there are more suggestions or possibilities that I don't know about yet, I'm still very 
interested.

Yours

Johannes


Am 3 Dec 2008 um 14:00 hat Ronald Woita geschrieben:

> you can't use unix file permission, because the map-file is a parameter
> of the mapserv(er) cgi. 
> And the cgi-script uses the webserver-user (wwwrun for apache)
> permissions for file access. so if the webserver can work with the
> mapfile, 
> anybody else can see it too (via http).
> 
> If I understand it in the correct manner, the ows-proxy only generates
> a 'normal' getmap-request and if 
> WMS Server and Mapbender are installed on the same machine, this
> request comes from localhost. So capsulate your
> WMS (you have to do it, see above) and then give only localhost access
> to these files by the apache configuration.
> The only Problem- no one must know your local filesystem :-(
> 
> 
> Ronald
> 
> 
> > <FILES ows_map1>
> >   order deny, allow
> >   deny from all
> >   allow from localhost
> > </FILES>
> 
> Ronald
> 
> --
> Ronald Woita
> http://geoportal.rostock.de
> Hansestadt Rostock
> Kataster-, Vermessungs- und Liegenschaftsamt
> Holbeinplatz 14, 18069 Rostock
> email: ronald.woita at rostock.de 
> phone: +49 (0)381 - 381 6256
> 
> >>> loose at lwf.uni-muenchen.de 03.12.2008 13:27 >>>
> Hello Ronald,
> 
> Thanks for your quick answer. Indeed I am using UMN Mapserver so my
> question is the 
> related to that software. 
> 
> The possibility to capsulate the map= parameter is nice to hide the
> absolute path of the 
> mapfile, but can not be seen as a way to secure a wms, because a user
> can call the wms 
> through the wrapper, too. The mapfile itself is not viewable from the
> outside anyway.
> 
> To secure the WMS using the webserver configuration is a possibility if
> I want to make the 
> wms accessible for certain IPs or networks only. In that case I  don't
> need the owsproxy at all. 
> Am I wrong?
> 
> What I am looking for is a possibility to deny all direct accesses to
> the WMS, but allow the access via the owsproxy only. 
> That way one could ensure that only verified users may use the
> service.
> 
> What I thought of is a way to use the linux file permissions (user
> /group) settings to achieve 
> that. But I am not clear ernough how that could work.
> 
> Any suggestions?
> 
> Thank you
> 
> Johannes
> 
> 
> Am 3 Dec 2008 um 12:39 hat Ronald Woita geschrieben:
> 
> > Hi Johannes,
> > 
> > in my opinion the only solution is to protect your ows services
> > depending on the software you use.
> > With mapserver UMN first you can hide the path details from your
> local
> > file system by this instruction
> >
> http://www.mapbender.org/Kapseln_der_MapServer_Konfigurationsparameter
> 
> > 
> > The second step is to protect the resulting cgi for the ows service
> > with the functionality of your web server
> > Here is an example for Apache :
> > <FILES ows_map1>
> >   order deny, allow
> >   deny from all
> >   allow from 192.3.0.123
> > </FILES>
> > 
> > Another interesting approach I'm testing at the moment is the
> > layer-level-security by GeoServer.
> > http://geoserver.org/display/GEOSDOC/Layer+level+security 
> > 
> > greetings
> > Ronald
> > 
> > 
> > 
> > 
> > 
> > --
> > Ronald Woita
> > http://geoportal.rostock.de 
> > Hansestadt Rostock
> > Kataster-, Vermessungs- und Liegenschaftsamt
> > Holbeinplatz 14, 18069 Rostock
> > email: ronald.woita at rostock.de 
> > phone: +49 (0)381 - 381 6256
> > 
> > >>> loose at lwf.uni-muenchen.de 03.12.2008 11:29 >>>
> > Hello List,
> > 
> > Maybe my mail some days ago has been too complex or too many
> questions
> > in one thread, 
> > so that there have been no replies so far. I'll try to ask my main
> > question again, but shorter:
> > 
> > What is the recommendet was to secure a geodata service (WMS)? The
> > mapbender wiki 
> > tells how to set up the owsproxy and use it to access a service. It
> > also points out the 
> > neccesity to secure the service for unauthorized access independet
> of
> > the mapbender, but it 
> > does not tell how that can be done.
> > 
> > Could anyone point me to docs about that issue or give me a small
> > example on how to 
> > achieve that?
> > 
> > Thanks in advance
> > 
> > Johannes
> > _______________________________________________
> > Mapbender_users mailing list
> > Mapbender_users at lists.osgeo.org 
> > http://lists.osgeo.org/mailman/listinfo/mapbender_users 
> > _______________________________________________
> > Mapbender_users mailing list
> > Mapbender_users at lists.osgeo.org 
> > http://lists.osgeo.org/mailman/listinfo/mapbender_users 
> _______________________________________________
> Mapbender_users mailing list
> Mapbender_users at lists.osgeo.org 
> http://lists.osgeo.org/mailman/listinfo/mapbender_users
> _______________________________________________
> Mapbender_users mailing list
> Mapbender_users at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapbender_users

-- 
Bayerische Landesanstalt für Wald und Forstwirtschaft
Johannes Loose
Sachgebiet EDV und Statistik
Abteilung 1 (Zentrale Dienste)
Am Hochanger 11
85354 Freising
Tel.: +049 8161 71 5857

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.osgeo.org/pipermail/mapbender_users/attachments/20081203/4db17149/attachment-0001.html


More information about the Mapbender_users mailing list