[mapserver-users] Mapserver Security
Gregor at HostGIS
gregor at hostgis.com
Tue Jul 28 10:47:21 PDT 2009
> MS_MAPFILE=/var/www/html/theDir/theFile.map
> export MS_MAPFILE
> QUERY_STRING="map=${MS_MAPFILE}&zoomdir=0&zoomsize=2&layer=counties&layer=states&...
> /var/www/cgi-bin/mapserv
> it accesses the
> mapfile in /theDir/, and /theDir is supposed to be password protected
> now by Apache.
Correct. But the browser is not calling /theDir/ as an URL. The browser
is calling /cgi-bin/wrapper.cgi
Therefore, Apache will only apply security for /cgi-bin/ to the request.
After the request has been approved (since cgi-bin is not protected)
Apache pays no attention at all to what the program DOES, including
accessing file paths.
> But if I steer my browser to that directory and try to access the
> mapfile directly, I get challenged to produce a password before I can
> access any file in that directory.
Exactly right. Apache matches the URL or directory that the BROWSER
requested, and in this case the browser was in fact trying to access
/theDir/
> So can anybody explain what I need to do to secure a Mapserver WMS site
> or can you point me to a "HOW TO" document that explains things?
Sure.
Remove MapServer from cgi-bin and place it somewhere where it will not
be directly accessible from the web -- for example /usr/local/bin/mapserv.
Modify your wrapper.cgi to use the new path to mapserv
Then password-protect the directory which contains wrapper.cgi
The result will be that one can only access MapServer through
wrapper.cgi, and that wrapper.cgi will be password protected. If you're
the only one using MapServer and only to serve "protected" layers, this
should be just what you need.
> are there any other possible security surprises that I probably don't
> know about? I'd like to get these information leaks plugged up.
As far as MapServer bugs, nope. This one isn't even an Apache bug; it's
the way Apache works and is documented to work, just misunderstood. But
following the above (password-protect cgi-bin and move mapserv out of
it) will get past this surprise.
--
HostGIS, Open Source solutions for the global GIS community
Greg Allensworth - SysAdmin, Programmer, GIS Person, Security
Network+ Server+ A+ Security+
More information about the MapServer-users
mailing list