MapServer & PostGIS Security

Paul Ramsey pramsey at REFRACTIONS.NET
Fri Dec 22 19:22:26 EST 2006


Additionally, tighten up your PgSQL connection rules, make sure only  
your mapserver box can connect to the postgresql instance.
And make sure you don't have a DATAPATTERN set, so that people can't  
override your data statement remotely and play SQL injection games.

P

On 22-Dec-06, at 3:47 PM, Bill Thoen wrote:

> I've just recently got MapServer going with data from a PostGIS  
> connection
> and I'd like to know what the "best practices" are in terms of  
> security.
> The problem I see is that you have to put a PostGIS username and  
> password
> in your mapfile on the CONNECTION line, which is easily viewed by  
> anyone.
>
> So what I've done is moved my mapfile out of the html directory  
> tree and
> am also using a user with read-only privs to the tables I want to  
> display
> and access to nothing else. But what do people who know what  
> they're doing
> do to ensure that there are no security holes?
>
> TIA,
>
> - Bill Thoen



More information about the mapserver-users mailing list