MapServer & PostGIS Security
Paul Ramsey
pramsey at REFRACTIONS.NET
Fri Dec 22 16:22:26 PST 2006
Additionally, tighten up your PgSQL connection rules, make sure only
your mapserver box can connect to the postgresql instance.
And make sure you don't have a DATAPATTERN set, so that people can't
override your data statement remotely and play SQL injection games.
P
On 22-Dec-06, at 3:47 PM, Bill Thoen wrote:
> I've just recently got MapServer going with data from a PostGIS
> connection
> and I'd like to know what the "best practices" are in terms of
> security.
> The problem I see is that you have to put a PostGIS username and
> password
> in your mapfile on the CONNECTION line, which is easily viewed by
> anyone.
>
> So what I've done is moved my mapfile out of the html directory
> tree and
> am also using a user with read-only privs to the tables I want to
> display
> and access to nothing else. But what do people who know what
> they're doing
> do to ensure that there are no security holes?
>
> TIA,
>
> - Bill Thoen
More information about the MapServer-users
mailing list