Oh, I almost forgot to tell you (in particular you, @saper since you spent a lot of time trying to help me with this, thanks again), I finally found the cause of that mysterious and hair-tearing bug that stopped PHP run as a user from reading a +r file that user owned !
NixOS was generating the systemd unit corresponding to my PHP service with a `ProtectHome = true` line in it to make sure that PHP couldn't read anything in my home directory.
Problem : this is a server that we share with some friends, and so each of us deploys their own services (git, blogs, etc.) in their own directory (because the point of permissions is not to have to sudo all the time).
@bortzmeyer @saper Security is a good thing. It's annoying but it's a good thing. But I think the issue here isn't security, it's the second-most difficult problem of IT (after naming, obviously) : reporting errors.
Systemd allows doing something nice to enhance security. The person who wrote the NixOS module to run PHP used it to be safe by default, which is great.
In the end, I struggled to get the slightest meaningful error line, and all I got was this «Permission denied».
Which was true, from what the point of view of the process logging that but lacked the link between this low-level error and the big-picture security policy.
@saper @bortzmeyer Hmm possible but I have no idea how exactly I would have done that. Can you recommend a specific tool or technique ?
@Sasha @bortzmeyer In short, I forgot to tell you to check kernel namespaces of the process :)