Argh#
Sat, 12 Dec 2020 00:00:19 +0000
Post title is more expressive than illuminating, sorry
I have just spent a very long time trying to figure out why
nix-channel --update
on my personal channel for nixos config
was failing with 500 errors.
- the virtual host is protected with http basic auth
- the password file is in
/home/git/htpasswd
- permissions are all fine, parent directory perms are good too
- I verified that
sudo -u nginx cat /home/git/htpasswd
works - nginx is not chrooted or using systemd containment or ...
- I even straced the daemon
openat(AT_FDCWD, "/home/git/htpasswd", O_RDONLY) = -1 EACCES (Permission denied)
It turns out to be due to this magic morsel in the nginx systemd unit
ProtectHome=true
Now I'm sure (actually, I'm not) that this is a reasonable default behaviour for a daemon that perhaps should not be able to read users' home files, but - I am struggling to avoid swearing in print here - would it kill you to print an error message that has at least some vague hint somewhere of what the error might be?
Pardon typos. It's too late for this shit, am going to bed now. Maybe tomorrow I'll be able to do my upgrades and get back to hacking my thermometer.