securing PrivateBin installation, by moving unneccessary bits out of the web root, making image support read-only operation, consistent white spaces in nginx config

privatebin/Dockerfile

@@ -12,23 +12,29 @@ ENV GID=991 UID=991 \
 
 RUN BUILD_DEPS="tar gnupg" \
  && apk -U upgrade && apk add $BUILD_DEPS \
- && mkdir privatebin && cd privatebin \
+ && mkdir -p privatebin/data privatebin/cfg \
  && export GNUPGHOME="$(mktemp -d)" \
  && gpg2 --list-public-keys || /bin/true \
  && wget -qO- https://privatebin.info/key/security.asc | gpg2 --import - \
  && wget -qO /privatebin.tar.gz.asc https://github.com/PrivateBin/PrivateBin/releases/download/${PRIVATEBIN_VER}/PrivateBin-${PRIVATEBIN_VER}.tar.gz.asc \
  && wget -qO /privatebin.tar.gz https://github.com/PrivateBin/PrivateBin/archive/${PRIVATEBIN_VER}.tar.gz \
  && gpg2 --verify /privatebin.tar.gz.asc \
+ && cd srv \
  && tar -xzf /privatebin.tar.gz --strip 1 \
- && mv cfg/conf.sample.php cfg/conf.php \
+ && mv cfg /privatebin \
+ && mv lib /privatebin \
+ && mv tpl /privatebin \
+ && mv vendor /privatebin \
+ && sed -i "s#define('PATH', '');#define('PATH', '/privatebin/');#" index.php \
  && apk del $BUILD_DEPS \
- && rm -rf /var/cache/apk/* /privatebin.tar.gz* "${GNUPGHOME}"
+ && rm -rf /var/cache/apk/* *.md /privatebin.tar.gz* "${GNUPGHOME}"
 
 COPY rootfs /
 
 RUN chmod +x /usr/local/bin/run.sh /etc/s6.d/*/* /etc/s6.d/.s6-svscan/*
 
-VOLUME /privatebin/data /php/session
+# mark dirs as volumes that need to be writable, allows running the container --read-only
+VOLUME /privatebin/data /php /nginx /tmp /etc/s6.d
 
 EXPOSE 8888
 

privatebin/rootfs/nginx/sites-enabled/nginx.conf

@@ -1,33 +1,33 @@
 server {
-        listen 8888;
-        root /privatebin;
-        index index.php index.html;
+    listen 8888;
+    root /srv;
+    index index.php;
 
-        location ~* \.(jpg|jpeg|gif|css|png|js|map|woff|woff2|ttf|svg|eot)$ {
-            expires 30d;
-            access_log off;
-	}
+    location ~* \.(jpg|jpeg|gif|css|png|js|map|woff|woff2|ttf|svg|eot)$ {
+        expires 30d;
+        access_log off;
+    }
 
-        location ~ ^/(data|cfg|tmp) {                                        
-            deny all;                                                        
-        }                                                                    
-                                                                             
-        location ~* /(.*)\.(?:markdown|md|twig|yaml|yml|ht|htaccess|ini)$ {  
-            deny all;                                                        
-        } 
-    
-        location ~ /\. {
-            deny all;
-        }
+    location ~ ^/(data|cfg|tmp) {
+        deny all;
+    }
 
-        location / {
-	    try_files $uri $uri/ /index.php;
-        }
+    location ~* /(.*)\.(?:markdown|md|twig|yaml|yml|ht|htaccess|ini)$ {
+        deny all;
+    }
 
-	location ~ \.php$ {
-            fastcgi_index index.php;
-            fastcgi_pass unix:/php/run/php-fpm.sock;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            include /nginx/conf/fastcgi_params;
-	}
+    location ~ /\. {
+        deny all;
+    }
+
+    location / {
+        try_files $uri $uri/ /index.php;
+    }
+
+    location ~ \.php$ {
+        fastcgi_index index.php;
+        fastcgi_pass unix:/php/run/php-fpm.sock;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        include /nginx/conf/fastcgi_params;
+    }
 }

privatebin/rootfs/usr/local/bin/run.sh

@@ -6,5 +6,5 @@ sed -i -e "s/<UPLOAD_MAX_SIZE>/$UPLOAD_MAX_SIZE/g" /nginx/conf/nginx.conf /php/e
        -e "s/<PHP_MIN_SPARE_SERVERS>/$PHP_MIN_SPARE_SERVERS/g" /php/etc/php-fpm.conf \
        -e "s/<PHP_MAX_SPARE_SERVERS>/$PHP_MAX_SPARE_SERVERS/g" /php/etc/php-fpm.conf
 
-chown -R $UID:$GID /privatebin /nginx /php /tmp /etc/s6.d
+chown -R $UID:$GID /privatebin/data /nginx /php /tmp /etc/s6.d
 exec su-exec $UID:$GID /bin/s6-svscan /etc/s6.d