Hi, just sending a little headsup regarding breakage of custom conf.php's in latest image.

• The latest container image seems to have broken custom conf.php configurations and just ignores the conf.php file entirely.
• Image tag "1.3.5" seems to be the latest working container image where a custom conf.php is working just fine.

Info about test environment:

Volume mount:
-v $CONTAINERS/privatebin/cfg/conf.php:/srv/cfg/conf.php:ro \
Output of ls -la within container to highlight permissions:
-r-------- 1 nobody www-data 7396 Jul 4 01:23 conf.php

As previously mentioned, it works just fine on image tag 1.3.5 and previous versions.

• Site: http://localhost:8080
  New Alerts

  • X-Content-Type-Options Header Missing [10021] total: 12:
    • http://localhost:8080/robots.txt
    • http://localhost:8080/css/bootstrap/privatebin.css?1.3.5
    • http://localhost:8080/img/favicon-32x32.png
    • http://localhost:8080/css/prettify/prettify.css?1.3.5
    • http://localhost:8080/img/apple-touch-icon.png
    • ..
  • User Agent Fuzzer [10104] total: 20:
    • http://localhost:8080/img
    • http://localhost:8080/img
    • http://localhost:8080/css/prettify
    • http://localhost:8080/js
    • http://localhost:8080/css/prettify
    • ..
  • CSP: Wildcard Directive [10055] total: 3:
    • http://localhost:8080/
    • http://localhost:8080/sitemap.xml
    • http://localhost:8080
  • Modern Web Application [10109] total: 5:
    • http://localhost:8080
    • http://localhost:8080/js/privatebin.js?1.3.5
    • http://localhost:8080/js/jquery-3.4.1.js
    • http://localhost:8080/sitemap.xml
    • http://localhost:8080/
  • Vulnerable JS Library [10003] total: 2:
    • http://localhost:8080/js/bootstrap-3.3.7.js
    • http://localhost:8080/js/jquery-3.4.1.js
  • CSP: Notices [10055] total: 3:
    • http://localhost:8080/sitemap.xml
    • http://localhost:8080/
    • http://localhost:8080

  Ignored Alerts

  • Information Disclosure - Suspicious Comments [10027] total: 13:
  • Timestamp Disclosure - Unix [10096] total: 5:
  • Absence of Anti-CSRF Tokens [10202] total: 3:

View the following link to download the report.
RunnerID:719746958

Hello,

I just install the container on my synology.
When i start it, the logs are as below :

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/nginx/run: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/php-fpm7/run: Operation not permitted
[s6-init] ensuring user provided files have correct perms...exited 0. 
[fix-attrs.d] applying ownership & permissions fixes... 
[fix-attrs.d] done. 
[cont-init.d] executing container initialization scripts... 
[cont-init.d] done. 
[services.d] starting services 
[services.d] done.
2020/03/11 09:35:27 [warn] 185#185: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2 
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2 
[11-Mar-2020 09:35:27] NOTICE: [pool www] 'user' directive is ignored when FPM is not running as root 
[11-Mar-2020 09:35:27] NOTICE: [pool www] 'user' directive is ignored when FPM is not running as root 
[11-Mar-2020 09:35:27] NOTICE: [pool www] 'group' directive is ignored when FPM is not running as root 
[11-Mar-2020 09:35:27] NOTICE: [pool www] 'group' directive is ignored when FPM is not running as root 
[11-Mar-2020 09:35:27] NOTICE: fpm is running, pid 183 
[11-Mar-2020 09:35:27] NOTICE: ready to handle connections

Later, I try run container with super privilege but still I get the first error lines.
When I connect to my privatebin url, the website is displayed correctly but as soon as i try send content to server I have this error : Impossible de créer le paste : Le serveur ne répond pas ou a rencontré une erreur (in english : Impossible to create the paste : the server doesn't answer or encountered an error)

Looking to the logs, I have this :

2020-03-11 09:51:52	stdout	172.17.0.1 - - [11/Mar/2020:09:51:52 +0000] "POST / HTTP/1.1" 500 5 "-" "Mozilla/5.0 (Windows NT 6.1; rv:73.0) Gecko/20100101 Firefox/73.0" "81.56.29.188"
2020-03-11 09:51:52	stderr	  thrown in /srv/lib/Persistence/AbstractPersistence.php on line 99" while reading response header from upstream, client: 172.17.0.1, server: , request: "POST / HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm.sock:", host: "paste.jakubowicz.me"
2020-03-11 09:51:52	stderr	#5 {main}
2020-03-11 09:51:52	stderr	#4 /var/www/index.php(18): PrivateBin\Controller->__construct()
2020-03-11 09:51:52	stderr	#3 /srv/lib/Controller.php(125): PrivateBin\Controller->_create()
2020-03-11 09:51:52	stderr	#2 /srv/lib/Controller.php(201): PrivateBin\Persistence\TrafficLimiter::canPass()
2020-03-11 09:51:52	stderr	#1 /srv/lib/Persistence/TrafficLimiter.php(104): PrivateBin\Persistence\AbstractPersistence::_exists('traffic_limiter...')
2020-03-11 09:51:52	stderr	#0 /srv/lib/Persistence/AbstractPersistence.php(72): PrivateBin\Persistence\AbstractPersistence::_initialize()
2020-03-11 09:51:52	stderr	Stack trace:
2020-03-11 09:51:52	stderr	2020/03/11 09:51:52 [error] 202#202: *23 FastCGI sent in stderr: "PHP message: PHP Fatal error:  Uncaught Exception: unable to write to file /srv/data/.htaccess in /srv/lib/Persistence/AbstractPersistence.php:99

I saw in documentation that uid and gid must be set to specific values but I don't have idea how to do this...

Thanks in advance for your help.
Julien

Working on the above, will push and tag once tested, then when the image got built, I'll deploy it on the demo site at https://privatebin.net

• upgrade to Alpine 3.13
• upgrade to PHP 8.0
• switch to packaged s6-overlay

On that last point I encountered a little snag in a dependency of s6:

ERROR: unable to select packages:
  so:libskarnet.so.2.9 (no such package):
    required by: justc-envdir-1.0.0-r1[so:libskarnet.so.2.9]

The maintainer of the package has already raised a merge request with a fix and once it's merged and the package got built and published I should be able to conclude this.

We did recently have a series of failures in the nightly builds and I only now found time to investigate. Part of it was a DNS resolution issue, which should now be addressed (the secondary nameserver for privatebin.info being offline due to k8s internal cluster certificate expiration, due to a bug in that particular version of the k8s certificate renewal process - will require me rebuilding that cluster from scratch using a later release, so I migrated the nameserver to another service for now till that project can get done).

With that fixed, we now hit an issue in the edge release of alpines s6-overlay. As far as I understand the issue so far, alpines s6, maintained by the author of that software, got upgraded to a release that is more strict in one of it's binaries, which causes the s6-overlay (maintained by a different team) to fail and requiring at least one component to be rewritten in that project.

Various ideas for short and long term solutions are:

1. temporarily disable the edge build, so the stable nightly image can get produced
2. change the build script to tolerate failures of the edge build, while still halting if a stable image build fails
3. add/enable the unmaintained package repository in the edge image, so we can still install the s6-overlay package and conclude the build (this may simply result in an image that doesn't run)
4. revert back to installing a stable, statically linked s6-overlay release from tarball in the edge image only, which works around the incompatibility with the newer alpine version of s6 (effectively pinning the s6-overlay release to an older s6 version until that project finds a solution for this)
5. switch to a different service manager, for example:
   1. pure shell scripts with backgrounding and polling for crashed services in a loop - really finicky and not a robust solution
   2. supervisord - pulls in all of python3
   3. runit - very small, service files are just shell scripts
   4. s6-rc - from the s6 author and maintained in alpine stable and edge

Any other ideas are welcome and of course we may just end up doing both a short term fix and later a longer term one, when we find time to do so.

I just installed from scratch.

Unfortunately, I have the following error message:

s6-rc: fatal: unable to take locks: Permission denied

Any assistance is appreciated.

Related issue: #2

Probably you can add something like this in the Dockerfile:

ARG UID=65534
ARG GID=82
usermod -u $UID nobody
groupmod -g $GID www-data

And add the following instruction to the README.md : chown -R 65534:82 data/

Hello,

I noticed that privatebin log is fulled by thoses :

s6-supervise php-fpm8: warning: can't happen: timeout while the service is up!
s6-supervise nginx: warning: can't happen: timeout while the service is up!

Currently using latest docker version with Swarm, this is privatebin configuration:

  - name: privatebin
    image: privatebin/nginx-fpm-alpine
    restart_policy: any
    mode: replicated
    replicas: 1
    env:
     TZ: Europe/Paris
     PHP_TZ: Europe/Paris
    mounts:
      - source: privatebin
        target: /srv/data
        type: volume
    networks:
      - name: net-traefik
        aliases:
          - privatebin.{{ domain_name }}
    labels:
      traefik.enable: 'true'
      traefik.docker.network: net-traefik
      traefik.http.routers.privatebin-http.entrypoints: http
      traefik.http.routers.privatebin-http.middlewares: https-redirect
      traefik.http.routers.privatebin-http.rule: Host(`privatebin.{{ domain_name }}`)
      traefik.http.routers.privatebin-https.entrypoints: https
      traefik.http.routers.privatebin-https.rule: Host(`privatebin.{{ domain_name }}`)
      traefik.http.routers.privatebin-https.tls: 'true'
      traefik.http.routers.privatebin-https.tls.options: 'default'
      traefik.http.routers.privatebin-https.middlewares: secure-headers,gzip
      traefik.http.routers.privatebin-https.service: 'privatebin-https'
      traefik.http.services.privatebin-https.loadbalancer.server.port: '8080'

Any clue about what is going on ?

Is there an example for configuring the nginx server?

Actually I am getting the error message in the docker container:

12#12: *7 connect() to [::]:9000 failed (99: Address not available) while connecting to upstream, client: 172.17.0.1, server: ..

I think It is because of the missing upstream for php-fpm but even with:

upstream php {
server 127.0.0.1:9000;
}

it wont work at all

I'm not sure about all technical details, but can't we enable PHP's cool new performance feature here? Or is it already enabled (by default)?

Ref https://github.com/shivammathur/setup-php#jit-configuration

By default in conf.php sizelimit = 2Mb.
Which is easy to override.
But there are also nginx and php limitations regarding this.
And it's not so easy to fix that.
Could you please change

• upload_max_filesize
• post_max_size

in php.ini and also add

• client_max_body_size

parameter in nginx config with some reasonable value (like 500-1000M)?

I can create PR if needed.

I am trying to run a privatebin docker in my raspberry pi 4 with 64 bits OS.

I tried different tags and the container is always stuck at [fix-attrs.d] applying ownership & permissions fixes...

Any suggestion?

Regards

• Site: https://localhost
  New Alerts

  • HTTP Only Site [10106] total: 1:
    • http://localhost:8080

• Site: http://localhost:8080
  New Alerts

  • Apache Range Header DoS (CVE-2011-3192) [10053] total: 20:
    • http://localhost:8080/js/showdown-1.9.1.js
    • http://localhost:8080/robots.txt
    • http://localhost:8080/css/bootstrap/bootstrap-theme-3.4.1.css
    • http://localhost:8080/css/bootstrap/privatebin.css?1.3.4
    • http://localhost:8080/js/privatebin.js?1.3.4
    • ..
  • X-Content-Type-Options Header Missing [10021] total: 12:
    • http://localhost:8080/robots.txt
    • http://localhost:8080/manifest.json?1.3.4
    • http://localhost:8080/img/favicon-16x16.png?1.3.4
    • http://localhost:8080/css/noscript.css
    • http://localhost:8080/img/favicon.ico
    • ..
  • Modern Web Application [10109] total: 5:
    • http://localhost:8080
    • http://localhost:8080/js/privatebin.js?1.3.4
    • http://localhost:8080/sitemap.xml
    • http://localhost:8080/js/jquery-3.4.1.js
    • http://localhost:8080/
  • .env Information Leak [40034] total: 6:
    • http://localhost:8080/css/prettify/.env
    • http://localhost:8080/js/.env
    • http://localhost:8080/.env
    • http://localhost:8080/css/bootstrap/.env
    • http://localhost:8080/img/.env
    • ..
  • CSP: Wildcard Directive [10055] total: 3:
    • http://localhost:8080
    • http://localhost:8080/sitemap.xml
    • http://localhost:8080/
  • User Agent Fuzzer [10104] total: 20:
    • http://localhost:8080/css/prettify
    • http://localhost:8080/css
    • http://localhost:8080/css
    • http://localhost:8080/img
    • http://localhost:8080/css/bootstrap
    • ..
  • Anti-CSRF Tokens Check [20012] total: 3:
    • http://localhost:8080
    • http://localhost:8080/sitemap.xml
    • http://localhost:8080/
  • Timestamp Disclosure - Unix [10096] total: 5:
    • http://localhost:8080/css/bootstrap/bootstrap-3.4.1.css
    • http://localhost:8080/css/bootstrap/bootstrap-3.4.1.css
    • http://localhost:8080/css/bootstrap/bootstrap-3.4.1.css
    • http://localhost:8080/css/bootstrap/bootstrap-3.4.1.css
    • http://localhost:8080/css/bootstrap/bootstrap-3.4.1.css
  • Trace.axd Information Leak [40029] total: 6:
    • http://localhost:8080/js/trace.axd
    • http://localhost:8080/css/bootstrap/trace.axd
    • http://localhost:8080/css/trace.axd
    • http://localhost:8080/img/trace.axd
    • http://localhost:8080/trace.axd
    • ..
  • Information Disclosure - Suspicious Comments [10027] total: 15:
    • http://localhost:8080/js/prettify.js?1.3.4
    • http://localhost:8080/js/legacy.js?1.3.4
    • http://localhost:8080/js/privatebin.js?1.3.4
    • http://localhost:8080/js/jquery-3.4.1.js
    • http://localhost:8080/js/privatebin.js?1.3.4
    • ..
  • Absence of Anti-CSRF Tokens [10202] total: 3:
    • http://localhost:8080
    • http://localhost:8080/
    • http://localhost:8080/sitemap.xml
  • CSP: Notices [10055] total: 3:
    • http://localhost:8080/sitemap.xml
    • http://localhost:8080/
    • http://localhost:8080
  • Vulnerable JS Library [10003] total: 2:
    • http://localhost:8080/js/bootstrap-3.3.7.js
    • http://localhost:8080/js/jquery-3.4.1.js
  • Cloud Metadata Potentially Exposed [90034] total: 1:
    • http://localhost:8080/latest/meta-data/

View the following link to download the report.
RunnerID:716506686

Here is a line from the log.

privatebin    | 2020/05/04 18:04:21 [emerg] 270#270: socket() [::]:8080 failed (97: Address family not supported by protocol)
privatebin    | nginx: [emerg] socket() [::]:8080 failed (97: Address family not supported by protocol)

this is my docker-compose.yml file

---
version: "2"
services:
    privatebin:
        image: privatebin/nginx-fpm-alpine
        container_name: privatebin
        ports:
          - "127.0.0.1:8080:80"
        environment:
          - TZ=Europe/Amsterdam  
          - PHP_TZ=Europe/Amsterdam
        volumes:
          - /var/docker/conf/privatebin/conf.php:/src/cfg/conf.php:ro
          - /etc/localtime:/etc/localtime:ro  
        restart: unless-stopped

My guess is that it has something to do with the ipv6 stack, which i dont have on my docker host.

While trying to create a new paste I'm encountering the following error:

Could not create paste: server error or not responding

2020/08/10 20:33:23 [error] 198#198: *1 FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught Exception: unable to write to file /srv/data/.htaccess in /srv/lib/Persistence/AbstractPersistence.php:99 Stack trace: #0 /srv/lib/Persistence/AbstractPersistence.php(72): PrivateBin\Persistence\AbstractPersistence::_initialize() #1 /srv/lib/Persistence/TrafficLimiter.php(104): PrivateBin\Persistence\AbstractPersistence::_exists('traffic_limiter...') #2 /srv/lib/Controller.php(201): PrivateBin\Persistence\TrafficLimiter::canPass() #3 /srv/lib/Controller.php(125): PrivateBin\Controller->_create() #4 /var/www/index.php(18): PrivateBin\Controller->__construct() #5 {main} thrown in /srv/lib/Persistence/AbstractPersistence.php on line 99" while reading response header from upstream, client: 172.17.0.1, server: , request: "POST / HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm.sock:"

I know its probably a permission error, but I ran the docker image exactly as the documentation says:

docker run -d --restart="always" --read-only -p 8080:8080 -v /opt/privatebin/code/data:/srv/data privatebin/nginx-fpm-alpine

The current dockerfile setup, always produces an image based on the 1.3.5 release (or at least the release defined by the RELEASE env var). It would be nice if the nightly release would be made of the latest master, so that I can test the changes.

When deploying using docker-compose, I am unable to paste.
docker-compose.yml

  privatebin:
    container_name: privatebin
    image: privatebin/nginx-fpm-alpine
    restart: unless-stopped
    ports:
    - 8083:80
    volumes:
      - ./data:/srv/data
version: "3.4"

Error: From PrivateBin WebUI: Could not create paste: server error or not responding
From logs:

Stack trace:
#0 /srv/lib/Persistence/AbstractPersistence.php(72): PrivateBin\Persistence\AbstractPersistence::_initialize()
#1 /srv/lib/Persistence/TrafficLimiter.php(104): PrivateBin\Persistence\AbstractPersistence::_exists('traffic_limiter...')
#2 /srv/lib/Controller.php(200): PrivateBin\Persistence\TrafficLimiter::canPass()
#3 /srv/lib/Controller.php(125): PrivateBin\Controller->_create()
#4 /var/www/index.php(18): PrivateBin\Controller->__construct()
#5 {main}
  thrown in /srv/lib/Persistence/AbstractPersistence.php on line 99
2019/02/07 00:28:29 [error] 9#9: *1 FastCGI sent in stderr: "PHP message: PHP Fatal error:  Uncaught Exception: unable to write to file /srv/data/.htaccess in /srv/lib/Persistence/AbstractPersistence.php:99
Stack trace:
#0 /srv/lib/Persistence/AbstractPersistence.php(72): PrivateBin\Persistence\AbstractPersistence::_initialize()
#1 /srv/lib/Persistence/TrafficLimiter.php(104): PrivateBin\Persistence\AbstractPersistence::_exists('traffic_limiter...')
#2 /srv/lib/Controller.php(200): PrivateBin\Persistence\TrafficLimiter::canPass()
#3 /srv/lib/Controller.php(125): PrivateBin\Controller->_create()
#4 /var/www/index.php(18): PrivateBin\Controller->__construct()
#5 {main}
  thrown in /srv/lib/Persistence/AbstractPersistence.php on line 99" while reading response header from upstream, client: 172.30.0.1, server: , request: "POST / HTTP/1.0", upstream: "fastcgi://unix:/run/php-fpm.sock:", host: "localhost:8083"

EDIT: Formatting

Hello,

We ran version < 1.3 on Kubernetes without issue. Folder /srv/data is mounted disk and shared between pods. After upgrade we had this error. Looks like it creates this error randomly. First, I thought it's problem with multiple pods, but now it creates this error even when only one pod is running. But after couple of tries it started working again. Maybe every 3-4th try end with this error.
Error:

*5 FastCGI sent in stderr: "PHP message: PHP Warning:  mkdir(): Permission denied in /srv/lib/Data/Filesystem.php on line 64" while reading response header from upstream, client: 172.16.110.114, server: , request: "POST / HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm.sock:", host:

Part of our k8s deployment setup:

securityContext:
  fsGroup: 82
initContainers:
- name: volume-mount-hack
  image: busybox
  command: ["sh", "-c", "chmod g+rwx /srv/data && chown 65534:82 /srv/data "]
  volumeMounts:
  - mountPath: /srv/data
    name: private-bin
containers:
- name: private-bin
  image: 'payout1/private_bin:1.3.1'
  imagePullPolicy: Always
  securityContext:
    runAsUser: 65534
    runAsGroup: 82
  volumeMounts:
  - name: config
    mountPath: /srv/cfg/
  - mountPath: /srv/data
    name: private-bin

But permissions are like this:

/var/www $ ls -la /srv/
total 4
drwxr-xr-x    1 root     root            17 Oct  2 06:30 .
drwxr-xr-x    1 root     root             6 Oct  2 09:01 ..
drwxrwsrwx    3 root     www-data        75 Oct  2 09:01 cfg
drwxrwx---   86 nobody   www-data      4096 Oct  2 08:53 data
drwxrwxr-x    5 nobody   www-data       260 Oct  2 06:30 lib
drwxrwxr-x    1 nobody   www-data        24 Oct  2 06:30 tpl
drwxrwxr-x    5 nobody   www-data        90 Oct  2 06:30 vendor
/var/www $ ls -la /srv/data/
total 24
drwxrwx---   86 nobody   www-data      4096 Oct  2 08:53 .
drwxr-xr-x    1 root     root            17 Oct  2 06:30 ..
-rw-r--r--    1 nobody   nobody          19 Oct  1 15:07 .htaccess
-rw-r-----    1 nobody   www-data        45 Oct  2 08:53 purge_limiter.php
-rw-r-----    1 nobody   www-data       522 Oct  2 08:08 salt.php
-rw-r-----    1 nobody   www-data       130 Oct  2 08:53 traffic_limiter.php

Trying to host PrivateBin on my RPi4, I get an error though and it exits with code 1:

privatebin     | [10-Jun-2021 00:27:29] NOTICE: fpm is running, pid 38
privatebin     | [10-Jun-2021 00:27:29] NOTICE: ready to handle connections
privatebin     | [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
privatebin     | s6-svscan: warning: unable to iopause: Invalid argument
privatebin     | s6-svscan: warning: executing into .s6-svscan/crash
privatebin     | [s6-init] ensuring user provided files have correct perms...s6-svscan panicked! Dropping to a root shell.
privatebin     |
privatebin     | /bin/sh: can't access tty; job control turned off
privatebin     | /run/s6/services $
privatebin     | [10-Jun-2021 00:27:32] NOTICE: fpm is running, pid 43
privatebin     | [10-Jun-2021 00:27:32] NOTICE: ready to handle connections
privatebin     | [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
privatebin     | s6-supervise nginx: warning: can't happen: timeout while the service is up!
privatebin     | s6-supervise php-fpm8: warning: can't happen: timeout while the service is up!
privatebin     | s6-svscan: warning: unable to iopause: Invalid argument
privatebin     | s6-svscan: warning: executing into .s6-svscan/crash
privatebin     | [s6-init] ensuring user provided files have correct perms...s6-svscan panicked! Dropping to a root shell.

I am using docker-compose, it looks like this:

privatebin:
    image: privatebin/nginx-fpm-alpine:latest
    container_name: privatebin
    volumes:
      - ./privatebin:/srv/data
    ports:
      - "8085:8080"

AFAIK Docker already checks the exist code and cancels the building process for creating an image when there is a non-zero exit code.

So there is no reason to use that huge long chain of && concatenation in the Dockerfile, it just makes that less readable.

Image doesn't work on raspberry pi 3b+. I tested latest and edge tags.
logs:

s6-svscan: warning: unable to iopause: Operation not permitted
s6-svscan: warning: executing into .s6-svscan/crash
s6-supervise php-fpm8: fatal: unable to iopause: Operation not permitted
s6-svscan panicked! Dropping to a root shell.

s6-supervise nginx: fatal: unable to iopause: Operation not permitted
/bin/sh: can't access tty; job control turned off
/run/s6/services $

Ensure the README.md (incl. docker hub description) documents what tags exist and what use cases they cover. See also the guidelines for docker hub community images for examples.

• Site: http://localhost:8080
  New Alerts

  • User Agent Fuzzer [10104] total: 20:
    • http://localhost:8080/img
    • http://localhost:8080/img
    • http://localhost:8080/css/prettify
    • http://localhost:8080/js
    • http://localhost:8080/css/prettify
    • ..
  • CSP: Wildcard Directive [10055] total: 3:
    • http://localhost:8080/
    • http://localhost:8080/sitemap.xml
    • http://localhost:8080
  • Modern Web Application [10109] total: 5:
    • http://localhost:8080
    • http://localhost:8080/js/privatebin.js?1.3.5
    • http://localhost:8080/js/jquery-3.4.1.js
    • http://localhost:8080/sitemap.xml
    • http://localhost:8080/
  • Vulnerable JS Library [10003] total: 2:
    • http://localhost:8080/js/bootstrap-3.3.7.js
    • http://localhost:8080/js/jquery-3.4.1.js
  • CSP: Notices [10055] total: 3:
    • http://localhost:8080/sitemap.xml
    • http://localhost:8080/
    • http://localhost:8080

  Ignored Alerts

  • Information Disclosure - Suspicious Comments [10027] total: 15:
  • Timestamp Disclosure - Unix [10096] total: 5:
  • Absence of Anti-CSRF Tokens [10202] total: 3:

View the following link to download the report.
RunnerID:762181501

Hello, I have the same problem my docker container does not load the config. Unfortunately I do not understand why. I have checked the mount path, the env variable and the config file. Do I have to pay attention to anything with docker?

To catch errors such as #75, I propose our CI should also start the image and do some sort of smoke-test or so that the image is actually startable.

E.g. start the image, do some curl on the port.

This could e.g. be implemented as health_check (not to be delivered though, e.g. in a docker-compose or just CLI stuff) or just a shell script…

According to AWS ECR this image has the following vulnerabilities:

https://gitlab.alpinelinux.org/alpine/aports/-/commit/b9e335a9e8fba2cf8dbb6faa8e01a189f2eb390a (3.12-stable)
Fixes: CVE-2020-14363

https://alpinelinux.org/posts/Alpine-3.12.1-released.html
Fixes: CVE-2020-24977

https://git.alpinelinux.org/aports/commit/?id=d435959ada011bdf44a535aa1297ad86d0f0f235 (not released)
Fixes: CVE-2020-15999

Using this to track, will try to test with 3.12.1 when i get a chance.

Steps to reproduce

1. Install PrivateBin with docker
2. As root, create the folder to store the pastes : mkdir /var/pastes
3. Run it with docker run -d --restart="always" --read-only -p 8080:8080 -v /var/pastes:/srv/data privatebin/nginx-fpm-alpine
4. After the paste fail, just to be sure, change the permission on /var/pastes with chown root:www-data /var/pastes ; it still fails with the error message "Could not create paste: server error or not responding."

What happens

Try to paste anything, with or without password, and you get "Could not create paste: server error or not responding."
The console reports an Internal Server Error

What should happen

It would save the paste

Additional information

The log from the console:

 error Internal Server Error privatebin.js:4422:25
    run https://p.serv.com/js/privatebin.js?1.3.4:4422
    jQuery 6
        c
        fireWith
        l
        o
        (Asynchrone : EventHandlerNonNull)
    send
        ajax
    run https://p.serv.com/js/privatebin.js?1.3.4:4421
    sendPaste https://p.serv.com/js/privatebin.js?1.3.4:4858
    jQuery 9
        dispatch
        handle
        (Asynchrone : EventListener.handleEvent)
    add
        Ae
        each
        each
        Ae
        on
        n
    init https://p.serv.com/js/privatebin.js?1.3.4:4295
    init https://p.serv.com/js/privatebin.js?1.3.4:5316
    <anonyme> https://p.serv.com/js/privatebin.js?1.3.4:42
    jQuery 13
        e
        t
        (Asynchrone : setTimeout handler)
    l
        c
        fireWith
        fire
        c
        fireWith
        ready
        B
        (Asynchrone : EventListener.handleEvent)
    <anonyme>
        <anonyme>
        <anonyme>

I'm not sure where to find the php log in that docker installation.

Basic information

Server address:

Server OS: Debian buster

Webserver: Apache

Browser: Firefox 82.0b2

PrivateBin version: 1.3.4

I can reproduce this issue on https://privatebin.net: No

Hi,

I have just been trying to deploy this docker image on unraid and tried following the below instructions for altering the config file.

Custom configuration

In case you want to use a customized conf.php file, for example one that has file uploads enabled or that uses a different template, add the file as a second volume:

docker run -d --restart="always" --read-only -p 8080:8080 -v conf.php:/srv/cfg/conf.php:ro -v privatebin-data:/srv/data privatebin/nginx-fpm-alpine

Note: The Filesystem data storage is supported out of the box. The image includes PDO modules for MySQL, PostgreSQL and SQLite, required for the Database one, but you still need to keep the /srv/data persisted for the server salt and the traffic limiter.

Unfortunately that never worked for me. So after some contemplating I wiped the container, mounted the /srv/cfg folder and added the sample conf.php to this directory, changed file uploads to true, restarted the container, and it finally worked.

-v '/mnt/user/appdata/privatebin/cfg':'/srv/cfg':'rw'

There is a new PHP/nginx vulnerability that might affect Privatebin Docker.

PHP bugtracker: https://bugs.php.net/bug.php?id=78599
Exploit PoC: https://github.com/neex/phuip-fpizdam
An example vulnerable docker-compose env: https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043

The solution according to this article is:

On October 24, PHP 7.3.11 (current stable) and PHP 7.2.24 (old stable) were released to address this vulnerability along with other scheduled bug fixes. Those using nginx with PHP-FPM are encouraged to upgrade to a patched version as soon as possible.

If patching is not feasible, the suggested workaround is to include checks to verify whether or not a file exists. This is achieved either by including the try_files directive or using an if statement, such as if (-f $uri).

This is how Nextcloud handles the issue: https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/

Hello, coming back for my regular issue !

With latest image privatebin/nginx-fpm-alpine :

Logs does not print anything usable for me :

[05-May-2021 15:26:11] NOTICE: fpm is running, pid 39
[05-May-2021 15:26:11] NOTICE: ready to handle connections
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
s6-supervise php-fpm8: warning: can't happen: timeout while the service is up!
s6-supervise nginx: warning: can't happen: timeout while the service is up!
s6-svscan: warning: unable to iopause: Invalid argument
s6-svscan: warning: executing into .s6-svscan/crash
[s6-init] ensuring user provided files have correct perms...s6-svscan panicked! Dropping to a root shell.

/bin/sh: can't access tty; job control turned off
/run/s6/services $

Any lead ?

PrivateBin 1.3 has been released, so we should update the docker image.

There were an error in logs:
[emerg] 215#215: bind() to 0.0.0.0:80 failed (13: Permission denied)

The container is broken. Please fix!

Container start cmd:

docker run -d --restart="always" --name privatebin --read-only -p 127.0.0.1:8080:80 -v privatebin-data:/srv/data privatebin/nginx-fpm-alpine:1.3.1

Steps to reproduce

1. Install container
2. Run container
3. Open web page, and go to privatebin URL

What happens

Web page fails to load

What should happen

Web page should load

Additional information

Originally I did have this working, but I was trying to get the conf.php file working and may have done something incorrectly.
Container log below.

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/php-fpm7/run: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/nginx/run: Operation not permitted
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
2020/07/15 08:18:28 [warn] 182#182: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
[15-Jul-2020 08:18:28] NOTICE: [pool www] 'user' directive is ignored when FPM is not running as root
[15-Jul-2020 08:18:28] NOTICE: [pool www] 'user' directive is ignored when FPM is not running as root
[15-Jul-2020 08:18:28] NOTICE: [pool www] 'group' directive is ignored when FPM is not running as root
[15-Jul-2020 08:18:28] NOTICE: [pool www] 'group' directive is ignored when FPM is not running as root
[15-Jul-2020 08:18:28] NOTICE: fpm is running, pid 181
[15-Jul-2020 08:18:28] NOTICE: ready to handle connections
2020/07/15 08:22:14 [error] 197#197: *1 FastCGI sent in stderr: "PHP message: PHP Warning: parse_ini_file(/srv/cfg/conf.php): failed to open stream: No such file or directory in /srv/lib/Configuration.php on line 121PHP message: PHP Warning: array_key_exists() expects parameter 2 to be array, bool given in /srv/lib/Configuration.php on line 123PHP message: PHP Fatal error: Uncaught Exception: PrivateBin requires configuration section [main] to be present in configuration file. in /srv/lib/Configuration.php:124
Stack trace:
#0 /srv/lib/Controller.php(161): PrivateBin\Configuration->__construct()
#1 /srv/lib/Controller.php(121): PrivateBin\Controller->_init()
#2 /var/www/index.php(18): PrivateBin\Controller->__construct()

}
thrown in /srv/lib/Configuration.php on line 124" while reading response header from upstream, client: 172.21.0.14, server: , request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm.sock:", host: "paste.hardnet.nz"
172.21.0.14 - - [15/Jul/2020:08:22:14 +0000] "GET / HTTP/1.1" 500 5 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0" "101.98.39.190, 198.41.238.123"
2020/07/15 09:22:48 [error] 197#197: *3 FastCGI sent in stderr: "PHP message: PHP Warning: parse_ini_file(/srv/cfg/conf.php): failed to open stream: No such file or directory in /srv/lib/Configuration.php on line 121PHP message: PHP Warning: array_key_exists() expects parameter 2 to be array, bool given in /srv/lib/Configuration.php on line 123PHP message: PHP Fatal error: Uncaught Exception: PrivateBin requires configuration section [main] to be present in configuration file. in /srv/lib/Configuration.php:124

Basic information

Server address: paste.hardnet.nz

Server OS: Unraid/Slackware

Webserver: nginx (via LS.io LetsEncrypt container)

Browser: FireFox 78.0.2

PrivateBin version: dockerhub version

I can reproduce this issue on https://privatebin.net: No

The current image supports both the default filesystem and the optional Postgres and MySQL PDO backends. The Google Cloud Storage backend, which was recently added in the development branch of PrivateBin, requires the installation of a relatively large PHP library, which is not included in the PrivateBin release.

In order not to break current behaviour, I suggest we keep the current "default" image tags as they are and let this serve as the "DB backend" flavour. In addition, we could also publish two additional flavours:

1. An image without the PDO modules, only supporting the filesystem backend. This lowers the size and attack surface of the image.
2. An image without the PDO modules, but including the library needed for the Google Cloud Storage backend.

This is related to #40 in that we should consider these 3 flavours in a tag naming scheme. One idea could be to add a suffix for the two backend flavours, for example:

Does anyone have suggestions for such suffixes? Do suffixes make sense or would another scheme to distinguish the image flavours make more sense?

Steps to reproduce

1. Deploy PrivateBin to Google Cloud Run
2. Run an intense load test with 50 concurrent users

$ go install github.com/k6io/xk6/cmd/xk6@latest
$ xk6 build --with github.com/binxio/[email protected]
$ cat > test.js <<!
import http from 'k6/http';
import {
    sleep,
    check
} from 'k6
import privatebin from 'k6/x/privatebin';


export default function() {
    var params = {
        headers: {
            'X-Requested-With': 'JSONHttpRequest',
        },
    };
    var paste = privatebin.encrypt("hello world!");

    var result = http.post('https://privatebin.net', paste.body, params);
    if (check(result, {
            'post status 200': (r) => r.status === 200,
            'post ok': (r) => r.headers['Content-Type'].startsWith('application/json') && r.json().status === 0,
        })) {
        var url = `${result.url}?${result.json().id}`;
        var result = http.get(url, params);
        if (!check(result, {
                'get status 200': (r) => r.status === 200,
                'get data equal': (r) => r.headers['Content-Type'].startsWith('application/json') && JSON.stringify(r.json().adata) === JSON.stringify(JSON.parse(paste.body).adata)
            })) {
            console.log(result.url);
            console.log(result.body);
        }
    } else {
        console.log(JSON.stringify(result));
    }
    sleep(0.5);
}
!
$ ./k6  run -u 50 -i 1000 test.js

What happens

The first calls to PrivateBin will return a 502, as nginx is accepting the http requests but php-fpm has not completed the initialization and /var/run/php-fpm.sock is not available.

<html>
   <head><title>502 Bad Gateway</title></head>
   <body>
       <center><h1>502 Bad Gateway</h1></center>
       <hr>
       <center>nginx</center>
   </body>
</html>

Once php-fpm is up, privatebin starts functioning properly.

Additional information

I added the following script to the container:

#!/bin/sh
test -S /var/run/php-fpm.sock || (echo "waiting on /var/run/php-fpm.sock" >&2 && sleep 1 && exit 1)

And changed /etc/s6/services/nginx/run to include an if statement:

#!/usr/bin/execlineb -P
if { /usr/local/bin/php-fpm-sock-is-available }
/usr/sbin/nginx

Basic information

Server OS: alpine:3.13

Webserver: nginx installed with alpine 3.13

PrivateBin version: 1.3.5

I cannot reproduce this issue on https://privatebin.net as this only occurs on the bootstrap of PrivateBin (easily reproducible on Google Cloud Run).

• Site: http://localhost:8080
  New Alerts

  • Vulnerable JS Library [10003] total: 2:
    • http://localhost:8080/js/jquery-3.4.1.js
    • http://localhost:8080/js/bootstrap-3.3.7.js

  Ignored Alerts

  • Information Disclosure - Suspicious Comments [10027] total: 15:
  • CSP: Wildcard Directive [10055] total: 3:
  • Modern Web Application [10109] total: 5:
  • Absence of Anti-CSRF Tokens [10202] total: 3:
  • Timestamp Disclosure - Unix [10096] total: 5:

View the following link to download the report.
RunnerID:1272078982

Given that both the php image as well as the underlying alpine image support the arm 32bit v7 CPU architecture, it should be possible to build such an image without major changes to the existing Dockerfile.

This would allow Raspberry Pi users to easily install PrivateBin as a docker container for use at home.

Steps to reproduce

1. I installed Privatebin with Docker on Google Cloud.
2. Trying to create new bin throwing me error.

What happens

I'm getting Could not create paste: server error or not responding

What should happen

It should create new bin.

Additional information

I'm creating container with
docker run --name privatebin -d --restart="always" -u 0 -p 8099:8080 -v /data/privatebin:/srv/data privatebin/nginx-fpm-alpine

Console:

error Internal Server Error privatebin.js:4422:25
    run https://privatebin4455.kabadayiapps.tools/js/privatebin.js?1.3.4:4422
    jQuery 4

Network:

I'm using Nginx Proxy Manager with Let's Encrypt. It exposes 443 port but i'm not using it. I exposed 22, 80, 443, 8099 at my instance.

Here my container

Basic information

Server address:
privatebin4455.kabadayiapps.tools

Server OS:

NAME="Ubuntu"
VERSION="18.04.4 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.4 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

Webserver:

Browser:
Firefox 76.0.1 (32-bit)

PrivateBin version:
1.3.4
I can reproduce this issue on https://privatebin.net: No

When container is starting it give following message:
s6-linux-init: fatal: unable to copy /etc/s6-linux-init/current/run-image to /run: Operation not permitted

When I revert to 1.3.5-alpine3.13 all run fine.

Hi!

I am trying to get this work on my server (which is using traefik) but first trying on localhost first at my laptop.

So I made this.

version: "3"
services:

  app:
    image: privatebin/nginx-fpm-alpine
    networks:
      - srv
    volumes:
      - '$PWD/paste:/srv/data'
    labels:
        - traefik.frontend.rule=Host:pbb.localhost
        - traefik.docker.network=srv
        - traefik.port=8080


networks:
  srv:
    external: true

But for some reasons I just get Bad Gateway

We have some unrelated build failures here for the Docker build…

https://github.com/PrivateBin/docker-nginx-fpm-alpine/runs/2269077284

Hello,

the current image set a required CAP on the NGINX binary (https://github.com/PrivateBin/docker-nginx-fpm-alpine/blob/master/Dockerfile#L53).
When running PrivateBin on a Kubernetes Cluster with hardened PSP, you might not have access to such CAP (which is required only to listen on port < 1024).

It could be nice to provide an image without this requirement for those of us with this kind of security constraints.

I rebuilt the image without the setcap line, and removed this line as well for our use case: https://github.com/PrivateBin/docker-nginx-fpm-alpine/blob/master/etc/nginx/sites-available/site.conf#L2

The 'latest' tag is throwing the following error:
s6-rc: fatal: unable to take locks: Permission denied

Same container config rolled back to tag '1.3.5' works fine.

Thanks for this great container / software. I've been using it for years and this is the first issue I've encountered. Hopefully not user error :P

This occurs with any UID I've tried so far (0, default and 1000)

Hello,

I saw that you recently built a multi-architecture container image using buildx. I use arm64 and I would like to always have the latest image to stay up to date with security issues.

To stay up to date as much as possible and pull in updates from the alpine image and the software you install inside it, would it be possible to setup nightly builds with a GitHub action for example ? I would be willing to write and maintain an action using this to have nightly automated builds.

Hi, i installed this docker container on my Synology NAS. Could you please help me how to mount the custom conf.php

i mounted the file like this
file: docker/privatebin/conf.php
mount-point: /conf.php
permission: rw

but i cant see my changes.

Thanks, for helping me out.

ppc64le image failes to build on Alpine 3.14 due to an issue with the alpine build systems causing a missing package in that release. edge and the older 1.3.5-alpine3.13 are still available for that architecture. For now I'll disable that architecture, so the others get their 3.14 based image.

Basically, the same issue as in #60: The latest Docker images don't correctly load the customized conf.php file (mounted to /srv/cfg/conf.php).

I had the same issue about a month ago, which was fixed after a specific update, then having another one recently.
I also tried to modify the file/folder permissions (UID 65534 / GID 82). I suppose there is a problem inside the container images, which prevents it from loading external config files.

I cannot start with the following error:

Steps to reproduce

1. Install private bin
2. Copy to installation and restart

What happens

Page fails to load properly

What should happen

Page should load in a normal manner with a default set of options that can then be tweaked

Additional information

Using docker, I mount conf.php in /srv/cfg/conf.php since my index.php has /srv/ listed as the location for data

conf.php is populated with a carbon copy of conf.php

Basic information

(not my pb instance!)
https://paste.d4v.is/?b7ff7bb935007854#2vp6RrXCAKTQXcetD8yeZ3MymjkUJo8Dz1HXGSfM2gMf

Screenshots:
with conf.php mounted:
https://i.ibb.co/q1nSdpk/pberror1.png

without conf.php mounted:
https://i.ibb.co/Mgs0CNZ/pberror2.png

Server address:

Server OS:
Debian10

Webserver:
PB docker image + traefik

PrivateBin version:
Latest container

I can reproduce this issue on https://privatebin.net: No, not relevant

I apologise if this is user error (it almost certainly is) but I have been struggling with it for a while now and as such can only use PB in the default config where I don't specify conf.php.

I have tried editing conf.php in every way I can think of to try and get it to load and it does not. I have also tried editing ./lib/Configuration.php directly and no joy.

I used docker to run the image like this:

docker run -d --restart="always" --read-only -p 8080:8080 -v $PWD/conf.php:/srv/cfg/conf.php:ro -v $PWD/privatebin-data:/srv/data privatebin/nginx-fpm-alpine

I have disabled httpwarning in conf.php, but when I opened http://mydomain:8080 in New Edge(Chromium-based Edge), it showed an error that "PrivateBin requires a modern browser to work". And I opened http://mydomain:8080 with Safari in my iPad(iOS 14.6) . It worked without any error.

OS: Windows 10 19043.1023
Chromium-based Edge Version: 91.0.864.37
Language: ZH_CN