RE: [mapserver-users] Mapserver Security [SEC=UNCLASSIFIED]
Hi Bill,
That's because it's not Apache reading the content in the directory.
Apache is running the CGI and the CGI is accessing the directory
directly. The CGI is already behind the access policy layer.
As the CGI is usually running as the Apache user, it has the same access
level as the Apache user (i.e. everything that any Apache process can
see).
It's not *that* great a problem as you can only interact with content
using methods supported by the Mapserver CGI. For example, draw.
Mapserver is unlikely to have any methods that will enable wholesale,
unaltered transfer of raw content, using mapserver to access most files
is unlikely to elicit a useful response.
Some ideas:
- Wrap your CGI and use _established_ tools to test/assert canoncial
paths on inputs
* Within the CGI wrapper i.e. Might Perl's bless/taint be
applicable?
* using server level tools like mnodern equivalents to
mod_security?
* Home brew regexp style security tools are probably always
faulty
- Your CGI wrapper could use sudo to contain different contexts to
different roles/permissions
- Put sensitive data into a database (like PostGIS) and use RDBMS
roles/permssions (with login details kept out of the map file!)
- Use security frameworks like SELinux or AppArmor to assert contexts
(example below)
The last option makes it easy to restrict particular CGIs to particular
paths and is probably easiest to manage. Say put a sensitive map ito a
separate VirtualHost with its own CGI and use SELinux or AppArmor to
restrict each VirtualHost to its own content. In a single host system,
you could keep two CGIs and place a context policy on the generic
mapserv.exe that keeps it out of theDir. Here's a sample snippet from
an AppArmor context that could be applied:
1) Allow that conext to execute object as in a specified
location (bin/*.sh, think mapserv.exe)
2) Those executables are only allowed to read .jar files (think
path/*.map) from another specified location
/data/some/app {
...
/data/some/app/bin/*.sh rix,
/data/some/app/common/**.jar r,
...
By no means a ready rolled solution, but rather some avenues to
explore.
Cheers,
Antti
-Original Message-
It works fine, but I don't know why it works because it accesses the
mapfile in /theDir/, and /theDir is supposed to be password protected
now by Apache. To make sure that I didn't already have a valid user in
my browser, I shut it down and then tried again. When I ran that wrapper
it picked up its info from the mapfile and then happily drew the map
using the web template file that's also in that protected directory.
It's as if there was no security at all!
--
IMPORTANT - This message has been issued by The Department of Agriculture,
Fisheries and Forestry (DAFF). The information transmitted is for the use of
the intended recipient only and may contain sensitive and/or legally privileged
material. It is your responsibility to check any attachments for viruses and
defects before opening or sending them on.
Any reproduction, publication, communication, re-transmission, disclosure,
dissemination or other use of the information contained in this e-mail by
persons or entities other than the intended recipient is prohibited. The taking
of any action in reliance upon this information by persons or entities other
than the intended recipient is prohibited. If you have received this e-mail in
error please notify the sender and delete all copies of this transmission
together with any attachments. If you have received this e-mail as part of a
valid mailing list and no longer want to receive a message such as this one
advise the sender by return e-mail accordingly. Only e-mail correspondence
which includes this footer, has been authorised by DAFF
--
___
mapserver-users mailing list
mapserver-users@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapserver-users
Re: [mapserver-users] Mapserver Security
Thanks for the help, everyone. Good advice, as usual, and I think I've got it sorted out now. ___ mapserver-users mailing list mapserver-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapserver-users
[mapserver-users] Mapserver Security
I have some questions about securing a MapServer WMS. From the googlits
I've gathered it seems that the easy way is to use Basic Authentication
if you have Apache. I do have that on my Linux-based server, so I sealed
off the directory in which I have my mapfile and web template. And so
far so good. If a browser attempts to access that directory it is
challenged to produce a valid username/password.
However, in my CGI directory, I have a wrapper set up for this directory
that looks something like this:
MS_MAPFILE=/var/www/html/theDir/theFile.map
export MS_MAPFILE
QUERY_STRING=map=${MS_MAPFILE}zoomdir=0zoomsize=2layer=countieslayer=states...
/var/www/cgi-bin/mapserv
It works fine, but I don't know why it works because it accesses the
mapfile in /theDir/, and /theDir is supposed to be password protected
now by Apache. To make sure that I didn't already have a valid user in
my browser, I shut it down and then tried again. When I ran that wrapper
it picked up its info from the mapfile and then happily drew the map
using the web template file that's also in that protected directory.
It's as if there was no security at all!
But if I steer my browser to that directory and try to access the
mapfile directly, I get challenged to produce a password before I can
access any file in that directory.
I also just discovered another issue that should have been obvious but
I didn't realize the implications until now. That is, if someone just
tries a getCapabilities and gets a list of what's on my server, then
they can view those layers via calls to getMap regardless of whether my
map file is in a protected directory or not. But I thought they had to
read the map file for getCapabilities to work, and yet on my system, the
map files in protected directories seem to be just as friendly to
strangers as the mapfiles in my public directories.
So can anybody explain what I need to do to secure a Mapserver WMS site
or can you point me to a HOW TO document that explains things? Also,
are there any other possible security surprises that I probably don't
know about? I'd like to get these information leaks plugged up.
Thanks in advance,
- Bill Thoen
___
mapserver-users mailing list
mapserver-users@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapserver-users
Re: [mapserver-users] Mapserver Security
Bill Thoen wrote:
I have some questions about securing a MapServer WMS. From the googlits
I've gathered it seems that the easy way is to use Basic Authentication
if you have Apache. I do have that on my Linux-based server, so I sealed
off the directory in which I have my mapfile and web template. And so
far so good. If a browser attempts to access that directory it is
challenged to produce a valid username/password.
However, in my CGI directory, I have a wrapper set up for this directory
that looks something like this:
MS_MAPFILE=/var/www/html/theDir/theFile.map
export MS_MAPFILE
QUERY_STRING=map=${MS_MAPFILE}zoomdir=0zoomsize=2layer=countieslayer=states...
/var/www/cgi-bin/mapserv
It works fine, but I don't know why it works because it accesses the
mapfile in /theDir/, and /theDir is supposed to be password protected
now by Apache. To make sure that I didn't already have a valid user in
my browser, I shut it down and then tried again. When I ran that wrapper
it picked up its info from the mapfile and then happily drew the map
using the web template file that's also in that protected directory.
It's as if there was no security at all!
But if I steer my browser to that directory and try to access the
mapfile directly, I get challenged to produce a password before I can
access any file in that directory.
I also just discovered another issue that should have been obvious but
I didn't realize the implications until now. That is, if someone just
tries a getCapabilities and gets a list of what's on my server, then
they can view those layers via calls to getMap regardless of whether my
map file is in a protected directory or not. But I thought they had to
read the map file for getCapabilities to work, and yet on my system, the
map files in protected directories seem to be just as friendly to
strangers as the mapfiles in my public directories.
So can anybody explain what I need to do to secure a Mapserver WMS site
or can you point me to a HOW TO document that explains things? Also,
are there any other possible security surprises that I probably don't
know about? I'd like to get these information leaks plugged up.
Thanks in advance,
- Bill Thoen
___
mapserver-users mailing list
mapserver-users@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapserver-users
Without reading/answering all your questions:
apache security protects apache paths, so /xyz is protected because you
put access rights on /xyz.
you didnt put access rights on /cgi-bin, so /cgi-bin is not protected.
A cgi program (mapserv in this case) does not know anything about apache
security, so it can access any path it wants. Apache also has no
control over cgi programs, so it cannot stop mapserv from acccessiinng
(sp?) any path it wants.
-Andy
___
mapserver-users mailing list
mapserver-users@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapserver-users
Re: [mapserver-users] Mapserver Security
MS_MAPFILE=/var/www/html/theDir/theFile.map
export MS_MAPFILE
QUERY_STRING=map=${MS_MAPFILE}zoomdir=0zoomsize=2layer=countieslayer=states...
/var/www/cgi-bin/mapserv
it accesses the
mapfile in /theDir/, and /theDir is supposed to be password protected
now by Apache.
Correct. But the browser is not calling /theDir/ as an URL. The browser
is calling /cgi-bin/wrapper.cgi
Therefore, Apache will only apply security for /cgi-bin/ to the request.
After the request has been approved (since cgi-bin is not protected)
Apache pays no attention at all to what the program DOES, including
accessing file paths.
But if I steer my browser to that directory and try to access the
mapfile directly, I get challenged to produce a password before I can
access any file in that directory.
Exactly right. Apache matches the URL or directory that the BROWSER
requested, and in this case the browser was in fact trying to access
/theDir/
So can anybody explain what I need to do to secure a Mapserver WMS site
or can you point me to a HOW TO document that explains things?
Sure.
Remove MapServer from cgi-bin and place it somewhere where it will not
be directly accessible from the web -- for example /usr/local/bin/mapserv.
Modify your wrapper.cgi to use the new path to mapserv
Then password-protect the directory which contains wrapper.cgi
The result will be that one can only access MapServer through
wrapper.cgi, and that wrapper.cgi will be password protected. If you're
the only one using MapServer and only to serve protected layers, this
should be just what you need.
are there any other possible security surprises that I probably don't
know about? I'd like to get these information leaks plugged up.
As far as MapServer bugs, nope. This one isn't even an Apache bug; it's
the way Apache works and is documented to work, just misunderstood. But
following the above (password-protect cgi-bin and move mapserv out of
it) will get past this surprise.
--
HostGIS, Open Source solutions for the global GIS community
Greg Allensworth - SysAdmin, Programmer, GIS Person, Security
Network+ Server+ A+ Security+
___
mapserver-users mailing list
mapserver-users@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapserver-users
Re: [mapserver-users] Mapserver Security
Others may have different ideas but it seems to me you'll need to secure the
wms binary
rather than a directory. (I wouldn't store mapfiles and templates in a web
accessible location
anyway.) There are probably many ways to do this. One idea might be to have
separate
WMS binaries, one for password-protected stuff and another for public stuff,
call 'em
wms1 and wms2. Latest versions of MapServer allow you to set an env variable
called
MS_MAPFILE_PATTERN. This is used as a regex test against the requested mapfile
and can
help restrict what can be loaded. It's not fool proof but is a good start. You
could set that
variable conditionally based on what binary (wms1 or wms2) is requested (see
mod_setenvif).
You'd apply password protection against the wms1 in this case.
You can go further and not allow full path mapfiles at all. (see MS_MAP_NO_PATH
in this
document: http://trac.osgeo.org/mapserver/wiki/EnvironmentVariables). In this
case
you'd set:
SetEnv MS_MAP_NO_PATH 1
SetEnv WMS1_MAPFILE 'some path'
SetEnv WMS2_MAPFILE 'some other path'
and users could only use WMS1_MAPFILE or WMS2_MAPFILE in WMS calls (or CGI
calls for that
matter). You might even be able to secure one wms binary based on the mapfile
requested. That
is, any URL request with WMS1_MAPFILE requires basic authentication.
Steve
On 7/28/2009 at 11:47 AM, in message 4a6f2b9f.8060...@gisnet.com, Bill
Thoen
bth...@gisnet.com wrote:
I have some questions about securing a MapServer WMS. From the googlits
I've gathered it seems that the easy way is to use Basic Authentication
if you have Apache. I do have that on my Linux-based server, so I sealed
off the directory in which I have my mapfile and web template. And so
far so good. If a browser attempts to access that directory it is
challenged to produce a valid username/password.
However, in my CGI directory, I have a wrapper set up for this directory
that looks something like this:
MS_MAPFILE=/var/www/html/theDir/theFile.map
export MS_MAPFILE
QUERY_STRING=map=${MS_MAPFILE}zoomdir=0zoomsize=2layer=countieslayer=states
...
/var/www/cgi-bin/mapserv
It works fine, but I don't know why it works because it accesses the
mapfile in /theDir/, and /theDir is supposed to be password protected
now by Apache. To make sure that I didn't already have a valid user in
my browser, I shut it down and then tried again. When I ran that wrapper
it picked up its info from the mapfile and then happily drew the map
using the web template file that's also in that protected directory.
It's as if there was no security at all!
But if I steer my browser to that directory and try to access the
mapfile directly, I get challenged to produce a password before I can
access any file in that directory.
I also just discovered another issue that should have been obvious but
I didn't realize the implications until now. That is, if someone just
tries a getCapabilities and gets a list of what's on my server, then
they can view those layers via calls to getMap regardless of whether my
map file is in a protected directory or not. But I thought they had to
read the map file for getCapabilities to work, and yet on my system, the
map files in protected directories seem to be just as friendly to
strangers as the mapfiles in my public directories.
So can anybody explain what I need to do to secure a Mapserver WMS site
or can you point me to a HOW TO document that explains things? Also,
are there any other possible security surprises that I probably don't
know about? I'd like to get these information leaks plugged up.
Thanks in advance,
- Bill Thoen
___
mapserver-users mailing list
mapserver-users@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapserver-users
___
mapserver-users mailing list
mapserver-users@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapserver-users
Re: [mapserver-users] Mapserver Security
Latest versions of MapServer allow you to set an env variable called MS_MAPFILE_PATTERN Holy cow! SetEnv MS_MAP_NO_PATH 1 SetEnv WMS1_MAPFILE 'some path' SetEnv WMS2_MAPFILE 'some other path' Wow! Wow! Super cool. I hadn't even heard of these. Thanks for the tip! -- HostGIS, Open Source solutions for the global GIS community Greg Allensworth - SysAdmin, Programmer, GIS Person, Security Network+ Server+ A+ Security+ ___ mapserver-users mailing list mapserver-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapserver-users
Re: [mapserver-users] Mapserver Security
Problem with MS_MAPFILE_PATTERN is that if using it for the path part of a mapfile you could use back references to get elsewhere. I imagine it's possible to craft a regex that wouldn't allow '..' but it's not trivial (examples welcome!). Not allowing path'd mapfiles at all is more restrictive and is certainly a goal of mine now when setting apps up. I should add that we are very interested in security improvements so please let us know if you run into issues or have ideas! Steve On 7/28/2009 at 1:15 PM, in message 4a6f4053.6030...@hostgis.com, Gregor at HostGIS gre...@hostgis.com wrote: Latest versions of MapServer allow you to set an env variable called MS_MAPFILE_PATTERN Holy cow! SetEnv MS_MAP_NO_PATH 1 SetEnv WMS1_MAPFILE 'some path' SetEnv WMS2_MAPFILE 'some other path' Wow! Wow! Super cool. I hadn't even heard of these. Thanks for the tip! ___ mapserver-users mailing list mapserver-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapserver-users
