Problems with installation

[sebie]

The installation instructions, I think, are incorrect.
After reading #80 I found out that you need a /tmp?
Would anyone mind writing a guide as to how to install it?

Thanks,

Sebie

[Mikaela]

for me it was just cd /var/www/ and git clone https://github.com/sebsauvage/ZeroBin.git and configuring vhost to nginx (which is optional and git clone to web server directory should be enough).

My vhost configuration if it interests you is below.

server {
    listen 80;
    listen [::]:80;
    listen 443;
    listen [::]:443;

    root /var/www/ZeroBin/;
    index index.php index.html index.htm;

    server_name zero.mikaela.info zerobin.mikaela.info;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
        autoindex off;
    }

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
       fastcgi_split_path_info ^(.+\.php)(/.+)$;
    #   # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
    #
    #   # With php5-cgi alone:
    #    fastcgi_pass 127.0.0.1:9000;
    #   # With php5-fpm:
       fastcgi_pass unix:/var/run/php5-fpm.sock;
       fastcgi_index index.php;
       #include fastcgi_params;
       include fastcgi.conf;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
       deny all;
    }
}

[sebie]

Ok thanks for the reply, will try this later week (when I have time).

[Popolon]

In fact, you need to create two directories with writing permission for web server :

• tmp
• data

[sebie]

Mind providing steps on how you did it @sebsauvage ?

It would be appreciated greatly.

[Popolon]

Well, in my sense, this piece of software has great security concerns, because the directories tmp and data where you give the web server write permission countains (autogenerated) php scripts.

• This means than you give permission to execute script on a directory where the webserver can write
• This means than if there is a whole somewhere in the server applications that can be exploited, the attacker can place a script in this directory and will be able to execute it localy by a remote call.

[axilleas]

I didn't encounter this issue those two dirs were created automatically. Perhaps if the dir doesn't have the right permissions, it gets skipped.

[sebie]

Might try it again, if it is working for y'all.

[drewbeer]

if you are using nginx, you should deny web access to /data/ and /tmp/ that way they are not browsable.

[creafrog]

Oh yeah tks 4 patch drewbeer ;)

[sebie]

Thanks for the help, I got it working for what I needed.