Permission denied during installPhase of a python program

Hello,

I am currently packaging my very first derivation after reading all the nix pills.
It is a python program that I can’t find in nixpkgs: GitHub - dwservice/agent: DWService agent for Linux, Mac and Windows

As the README says, I just need to run the “compile_all.py” script located in the make directory, so I came up with this simple derivation:

let
	pkgs = import <nixpkgs>{};
in
	pkgs.stdenv.mkDerivation {
		name = "dwagent";
		src = fetchGit {
			url = "https://github.com/dwservice/agent.git";
			rev = "8b753ebaf89485beb9f1f730cfbbb395b3327781";
		};

		buildInputs = with pkgs; [ 
			gcc
			gnumake
			python3
		];

		unpackPhase = "true";

		installPhase = ''
			mkdir -p $out/bin
			cd $src/make
			python compile_all.py
		'';
	}

However the build fails with a “permission denied” error on a os.makedirs() function call.
I know the nix store is write protected for users but I thought nix-build had the correct rights to write in it ?
What is the correct way of doing that ? Do I need to copy my sources to a temporary folder outside the nix store to build it ?

Oof. That’s a repo and a half. Looks like they completely hand-built a build system just for this project. Or is this some weird, ancient eclipse feature? Either way you’re going to have a field day if you want to build this.

This is pretty much correct, a build should only be able to write to a specific directory (the $out directory in your installphase), as well as a temporary directory in /tmp (which is the current working directory in all shells started for the build).

It’s not allowed to write anywhere else. Problem is, some build systems are messy, and try to write to, for example, /usr/bin so they can helpfully install their binaries for you. This appears to be such a build system - it assumes you’re on an fhs distro, and rather than “compile” you want to “compile and immediately install”.

Nix’ sandbox won’t allow it to just edit any file on your computer, so you get a permission error.

Given the above, no, that would not be helpful.

The “correct” way is for upstream to use a more sensible build system. Since it does not, you’ll have to learn how their build system works.

I can’t spot any way to configure its installation prefix from a glance, it looks to be hardcoded, but I can’t spot where that is. It also appears to download stuff at build time, rather than using already installed libraries, which is also forbidden during nix builds. This is not promising.

I think the path of least resistance would be to reimplement their compile_all from scratch in your buildPhase. The script’s errors do say you should do the buuld manually if it doesn’t work, so this is an expected outcome.

It might turn out to be surprisingly easy to do so (most of their code revolves around working on windows/mac/ubuntu), but you’ll have to spend quite a while untangling what their code even does. It’ll bitrot quickly too, any small change to their build system will break your builds if you update. Maybe if you understand it well enough to reimplement it you’ll be able to configure it, though, or at least patch it well enough that it can work under nix. Either way, this will take some work.

I’d personally look for an alternative project entirely. This level of build system craziness coupled with an apparent insistence on using python2 is concerning, and all that for a tool that does remote desktop control via http. This has botnet fodder written all over it.

GNOME natively supports rdp today, which I’d recommend instead.

Actually I thought that the project was just a python project, but indeed you are right, it is a c++ project built with a strange home made python build system. I am using this rdp program on various systems and I chose this one as an alternative to teamviewer because it was open source easy to use on different os.
As it was open source I don’t even thought it could be a scam but you are scaring me, I will check on the net if this is reported as some sort of disguised malware.

Thank you for the help !