Builds for shell or packages fails due to incorrect permissions in /private/tmp

I’m consistently getting errors on my machine when trying to build a devshell or package. Everything I build returns the following error:

~ nix develop
error:
       … while setting up the build environment

       error: getting attributes of path '/private/tmp/nix-build-nix-shell-env.drv-5/build: Permission denied

The exact error message changes depending on the shell/configuration/package, but always points to /private/tmp/SOMETHING.drv-NUMBER/build

This seems to be an issue with my setup more than anything else, but I can’t seem to figure it out.

My setup is a MPB M1 with macOS sonoma 14.5 (23F79) running nix 2.18.4 with nix-darwin.
I friend with another apple device running sonoma 14.5 doesn’t have the same issue when running the same devshell.

The most minimal flake that has this issue is the following. This gives the error I placed above

{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
  };
  outputs = { self, nixpkgs }: {
    devShells.aarch64-darwin.default = nixpkgs.legacyPackages.aarch64-darwin.mkShell {
      buildInputs = [ nixpkgs.legacyPackages.aarch64-darwin.nixpkgs-fmt ];
    };
  };
}

In this example, the version of nixpkgs doesn’t seem to matter nixpkgs-24.05 gives the same issue.

All folders from nix in /private/tmp have the same permission:

drwx------   2 root     wheel    64B Jul 11 17:11 nix-build-nix-shell-env.drv-0
drwx------   2 root     wheel    64B Jul 11 17:11 nix-build-nix-shell-env.drv-1
drwx------   2 root     wheel    64B Jul 11 17:20 nix-build-nix-shell-env.drv-2
drwx------   2 root     wheel    64B Jul 11 17:22 nix-build-nix-shell-env.drv-3
drwx------   2 root     wheel    64B Jul 11 17:22 nix-build-nix-shell-env.drv-4
drwx------   2 root     wheel    64B Jul 11 17:28 nix-build-nix-shell-env.drv-5

After the build finishes, there aren’t any files left in these folders.

Earlier this week I re-installed nix and this solved the issue for a few days. However, the issue is back today (even though I didn’t change anything about my system)

Any suggestions for what I could try or what I could look at?

1 Like

Passing along a response from someone on Matrix:

yes
that’s the darwin sandbox bug
updates for all nix versions are finally in the branches
next channel update will fix it
--option sandbox false is the workaround
it’s caused by the hardening around the recent linux sandbox security fix so I get why releases were rushed out without that much QA but it’s still quite something that every release branch has had a broken macOS sandbox for like weeks now :upside_down_face:

1 Like

Thanks a lot! Adding this flag fixed the issue both in my minimal reproduction and actual projects

1 Like