Nix: error: moving build output '/nix/store/...-source' from the sandbox to the Nix store: Permission denied

I can include the build log with verbosity enabled if it helps as well; this has suddenly been happening so I suspect there is some regression with nix-build; subjectively I find it only occurs in my _nixpkgs_ local repository also but i'm not sure what is unique about that.

Glad to see that I'm not the only one who's experiencing this error with nix version 2.3.9.
I even get the error when trying to install a derivation from the nixpkgs-unstable channel:

nix-env -i gitkraken
installing 'gitkraken-7.4.0'
these derivations will be built:
  /nix/store/nw9pdx5qk0p03b4ykqgpni4gnp5hlay3-source.drv
  /nix/store/7bgw7q772s8l765l4f6q5p8cg5b70b9f-gitkraken-7.4.0.drv
these paths will be fetched (1.77 MiB download, 17.40 MiB unpacked):
  /nix/store/486v78pm6hb1qzdbh4xjw6a7587pk8f4-gdk-pixbuf-2.40.0-dev
  /nix/store/y3r085qp9iswh3sk1y9ssc3cqpwj4xw6-gtk+3-3.24.23-dev
copying path '/nix/store/486v78pm6hb1qzdbh4xjw6a7587pk8f4-gdk-pixbuf-2.40.0-dev' from 'https://cache.nixos.org'...
building '/nix/store/nw9pdx5qk0p03b4ykqgpni4gnp5hlay3-source.drv'...

trying https://release.axocdn.com/linux/GitKraken-v7.4.0.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  107M  100  107M    0     0  17.7M      0  0:00:06  0:00:06 --:--:-- 17.9M
unpacking source archive /build/GitKraken-v7.4.0.tar.gz
error: moving build output '/nix/store/bypddkckp05jkmi5byr4div2xrx43x7g-source' from the sandbox to the Nix store: Permission denied

Hello, I have the same issues here on a fresh Ubuntu 20.04 with home-manager. Also, I tried to decrease the version of nix, and it didn't fix anything.

> nix --version
nix (Nix) 2.2.2
> nix-shell '<home-manager>' -A install

Creating initial Home Manager generation...

building '/nix/store/c7l9mdylx710s86yihqww7440g5ihy0k-nmd.drv'...

trying https://gitlab.com/api/v4/projects/rycee%2Fnmd/repository/archive.tar.gz?sha=2398aa79ab12aa7aba14bc3b08a6efd38ebabdc5
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 22105    0 22105    0     0  73195      0 --:--:-- --:--:-- --:--:-- 72953
unpacking source archive /build/archive.tar.gz?sha=2398aa79ab12aa7aba14bc3b08a6efd38ebabdc5
error: moving build output '/nix/store/nnj0sc87fycmcv97inqvdzl1ghr1gwkp-nmd' from the sandbox to the Nix store: Permission denied

I stumbled upon the same issue. I can reproduce it with e.g.

nix-env -i gitkraken

copying path '/nix/store/6vkzkr9xjhdlrsjm02ncnasssqzmcp1c-libtiff-4.1.0-dev' from 'https://cache.nixos.org'...
building '/nix/store/nw9pdx5qk0p03b4ykqgpni4gnp5hlay3-source.drv'...

trying https://release.axocdn.com/linux/GitKraken-v7.4.0.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  107M  100  107M    0     0  24.1M      0  0:00:04  0:00:04 --:--:-- 24.1M
unpacking source archive /build/GitKraken-v7.4.0.tar.gz
error: moving build output '/nix/store/bypddkckp05jkmi5byr4div2xrx43x7g-source' from the sandbox to the Nix store: Permission denied

System

Nix: 2.3.4 and 2.3.7

OS: Linux Mint 20 x86_64
Kernel: 5.4.0-48-generic
Packages: 4293 (dpkg), 1707 (nix-user), 12 (snap)
Shell: fish 3.1.2
Terminal: st
CPU: Intel i5-4200U (4) @ 2.600GHz
GPU: Intel Haswell-ULT
Memory: 2062MiB / 11694MiB

I just started getting this too, on Ubuntu, nix 2.3.4, and home-manager.

Same issue, ubuntu. Have someone found a workaround?

Looks like it's only single user installation issue https://github.com/typeclasses/haskell-phrasebook/issues/38

Most of my colleagues that are not on NixOS have also experienced this issue and the only solution was to re-install Nix with multi-user support: https://nixos.org/manual/nix/stable/#sect-multi-user-installation

Based on the number of people mentioning this issue, there has to be a recent change regarding nix on ubuntu. Using the daemon (multi user) might work because it's not affected, but single user mode worked fine for months/years on ubuntu. I'm hoping for a solution targeting the cause.

I as well.
I love the simplicity of single user and I only use Nix on my laptop so there's no need for multi user installation.

I have tried to raise visibility of this issue on IRC and discord... Hoping someone with some insight can comment 🙏

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/is-nix-single-user-broken-for-others/10332/1

I as well.
I love the simplicity of single user and I only use Nix on my laptop so there's no need for multi user installation.

I have tried to raise visibility of this issue on IRC and discord... Hoping someone with some insight can comment pray

I assume it goes away if you disable the sandbox?

I also don't see this error message in unstable, but I assume the logic is similar. Can someone reproduce error with nix unstable?

@Mic92 it goes away with --option sandbox false
I am trying on master of Nix as well right now.

@Mic92 just to re-iterate as well: going to multi-user seems to resolve it as well.

The error message in 2.3-maintenance is invoid DerivationGoal::registerOutputs() at https://github.com/NixOS/nix/blob/2.3-maintenance/src/libstore/build.cc#L3238

The same function (greatly changed!) is currently at https://github.com/NixOS/nix/blob/1b79b5b983a6c775766bd0d1c7881042188998b8/src/libstore/build/derivation-goal.cc#L2861

@abathur @Mic92 i tried latest Nix (8ad2c9c4b97f291982598e34530122612c580b83) and I guess it's working. I wonder what the delta is though and if we can back-port it.
I don't have the bandwidth at the moment to _git bisect_ the 2.3 release branch.

❯ /nix/store/cbakjwpws3wclfanzs9xkzy73c2pwhdz-nix-2.4pre19700101_8ad2c9c/bin/nix-build -A spacevim
these 2 derivations will be built:
  /nix/store/akidg6ifyymbqj7gfxisj445s0ihvmf2-source.drv
  /nix/store/bddqjx6zb4s23gzaq7cqkc7jw2qnz40m-spacevim-v1.5.0.drv
Resolved derivation: '/nix/store/akidg6ifyymbqj7gfxisj445s0ihvmf2-source.drv' -> '/nix/store/ljgl61009ilynfkf7jmdq6x2m6djkc5i-source.drv'...
building '/nix/store/ljgl61009ilynfkf7jmdq6x2m6djkc5i-source.drv'...

trying https://github.com/SpaceVim/SpaceVim/archive/v1.5.0.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   125  100   125    0     0    438      0 --:--:-- --:--:-- --:--:--   438
100 6097k    0 6097k    0     0  4503k      0 --:--:--  0:00:01 --:--:--  9.8M
unpacking source archive /build/v1.5.0.tar.gz
building '/nix/store/bddqjx6zb4s23gzaq7cqkc7jw2qnz40m-spacevim-v1.5.0.drv'...
unpacking sources
unpacking source archive /nix/store/xwvx38yj44vkf8jwjmp6p9pv6agjaggf-source
source root is source
patching sources
applying patch /nix/store/533ajhk6s8rzscm1plf4ijmzlqw9z57g-helptags.patch
...

Potential silver lining: If something was actually broken since the 2.3 branch-off, and if that something is in src/libstore/build.cc, it looks like only 5 commits have touched it since branch-off.

That said, I don't grok why this is suddenly cropping up for all of you at once (on existing installs that seem to have been running fine?) unless something has turned up in Nixpkgs that is causing/exposing these breaks.

@fzakaria When did your local nixpkgs branch off? Does it depend on local changes, or could you check out 20.09 or 20.03 and see if you still get the error? Edit: Also, if you happen to still be on the nixpkgs commit you were on when you first saw this, make a note of which commit that was? If this is something in Nixpkgs and your clone was fairly up-to-date, you may have started seeing this in master shortly before nixpkgs-unstable had advanced.

(Likewise to anyone else--if you're using nixpkgs-unstable, do recent stable nixpkgs channels work?)

Likewise to anyone else--if you're using nixpkgs-unstable, do recent stable nixpkgs channels work?

Is this about nix or the packages causing trouble?

I tried to use different nix (package manager) versions (from 20.03, 20.09 and unstable) and the error was the same.

Is it also possible that "something" changed permissions for a location (either nix or debian/ubuntu), and then preciously working versions would fail, too?

Is this about nix or the packages causing trouble?

"The packages" is closer to what I mean, but I'm not certain from the thread so far if this is globally affecting everything in _nixpkgs_, or just specific ones, or somewhere between (everything using a certain builder, hook, etc.).

I tried to use different nix (package manager) versions (from 20.03, 20.09 and unstable) and the error was the same.

That's roughly what I'd expect (assuming your packages are coming from nixpkgs-unstable in each case).

Is it also possible that "something" changed permissions for a location (either nix or debian/ubuntu), and then preciously working versions would fail, too?

I'd rate it plausible, but I'm asking about nixpkgs at different commits/channels because it should be fairly quick+easy to jump around one or two times and confirm/disprove, and it could have a big impact on who needs to be in the loop.

Given that master on Nix itself resolves the issue isn't that a smoking gun it's Nix and not a builder in nixpkgs itself?

I've seen this issue building any attribute in nixpkgs fwiw

@abathur @andys8 okay wow so nixos-stable works whereas master does not for _nixpkgs_
So something is conflicting in recent nixpkgs that does not work 2.3.X version of Nix (although fixed in master of Nix)

What is important though is that the _source_ must be fetched directly and not from cache.nixos.org to cause the failure.
For instance, I tried to build a recently submitted package rbenv and it worked fine.

❯ nix-build -A rbenv
these derivations will be built:
  /nix/store/zvykmm4gijvv1v2p2br3zh9aqbh67nfh-rbenv-1.1.2.drv
these paths will be fetched (0.03 MiB download, 0.13 MiB unpacked):
  /nix/store/cxf88dxf01pqd1y5km75bn9qqxb21f9w-source
copying path '/nix/store/cxf88dxf01pqd1y5km75bn9qqxb21f9w-source' from 'https://cache.nixos.org'...
building '/nix/store/zvykmm4gijvv1v2p2br3zh9aqbh67nfh-rbenv-1.1.2.drv'...
unpacking sources
unpacking source archive /nix/store/cxf88dxf01pqd1y5km75bn9qqxb21f9w-source
source root is source
patching sources
...

copying path '/nix/store/cxf88dxf01pqd1y5km75bn9qqxb21f9w-source' from 'https://cache.nixos.org'...

However when I try to build my new derivation I'm working on for submission it hits the error.

❯ nix-build -A spacevim
these derivations will be built:
  /nix/store/akidg6ifyymbqj7gfxisj445s0ihvmf2-source.drv
  /nix/store/bddqjx6zb4s23gzaq7cqkc7jw2qnz40m-spacevim-v1.5.0.drv
building '/nix/store/akidg6ifyymbqj7gfxisj445s0ihvmf2-source.drv'...

trying https://github.com/SpaceVim/SpaceVim/archive/v1.5.0.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   125    0   125    0     0    518      0 --:--:-- --:--:-- --:--:--   520
100 6097k  100 6097k    0     0  10.3M      0 --:--:-- --:--:-- --:--:-- 10.3M
unpacking source archive /build/v1.5.0.tar.gz
error: moving build output '/nix/store/xwvx38yj44vkf8jwjmp6p9pv6agjaggf-source' from the sandbox to the Nix store: Permission denied

I cherry-picked this change onto _nixos-20.09_ though and it works fine after making sure to _nix-store --delete_ ...

Given that master on Nix itself resolves the issue isn't that a smoking gun it's Nix and not a builder in nixpkgs itself?

I've seen this issue building any attribute in nixpkgs fwiw

I'm not saying there isn't a bug in Nix 2.3.x. I just suspect--given how quickly several people on different versions started having the same problem with presumably existing installs--that it was latent in Nix until something else shifted to expose it (and that something else may or may not be a problem in its own right...)

@fzakaria On a hunch: can you try backing out https://github.com/NixOS/nixpkgs/commit/4a5c49363a58e711c2016b9ebb6f642e3c9c1be5? It's the main diff I can see between master and release-20.09 in terms of changes that would affect the SpaceVim and GitKraken derivations.

Yup, I can replicate this on a clean Ubuntu 20.04 install. Adding a chmod u+w $out after the chmod -R a-w $out fixes it.

So, is this a problem with Nix itself?

That is, is there a flaw in the single-user sandbox model? Is the workaround in https://github.com/NixOS/nixpkgs/pull/105845 a workaround, or is it making sure it respects the model?

This was fixed in master in the megacommit e913a2989fd7dfabfd93c89fd4295386eda4277f.

That is, is there a flaw in the single-user sandbox model? Is the workaround in NixOS/nixpkgs#105845 a workaround, or is it making sure it respects the model?

This is just a bug that only really crops up in single-user sandbox mode because if you're root then, well, permission bits don't matter :o)

True - but is that bug in nix, or nixpkgs? :P

Thanks for fixing this issue.

Just curious, as a new user in the single-user mode, --- multiple-user is not an option since the host is WSL, how can I work around this?

@kunxi @fzakaria reported the builds succeeding with --option sandbox false, have you tried that?

@abathur

I want to install nix on debian WSL, and use home-manager to manage package and configurations. Just follow the instruction of home-manager:

nix-shell --version
nix-shell (Nix) 2.3.9

nix-channel --list
home-manager https://github.com/nix-community/home-manager/archive/master.tar.gz
nixpkgs https://nixos.org/channels/nixpkgs-unstable

nix-shell '<home-manager>' -A install --option sandbox false
... 
error: moving build output '/nix/store/nnj0sc87fycmcv97inqvdzl1ghr1gwkp-nmd' from the sandbox to the Nix store: Permission denied

The symptoms are similar, but not sure whether it is the same root cause.

Ah. Hmm. I don't use multiple components here so I'm shooting from the hip, but maybe home-manager's scripts are running some nix invocations of their own (which wouldn't have the option).

You could try setting sandbox = false for now in /etc/nix/nix.conf. If that doesn't work, we may need to poke someone who knows more about HM.

Yep, setting sandbox = false in /etc/nix/nix.conf works as a charm. Thanks!

Yeah I just started running into this issue as well a few days ago. I'm running nix (2.3.7) in single user mode on Ubuntu 20.04 .
Setting the sandbox option to false as described above seems to fix it,

I've got the issue with nix (Nix) 2.3.9 on Ubuntu 20.04 by running nix-shell.
It seems nix-shell doesn't know sandbox option.

nix-shell --option sanbox false
warning: unknown setting 'sanbox'
building '/nix/store/x358f61apjvg78frlyj8znjcnmy7q1q3-source.drv'...

trying https://github.com/nixos/nixpkgs/archive/7138a338b58713e0dea22ddab6a6785abec7376a.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   152  100   152    0     0    338      0 --:--:-- --:--:-- --:--:--   337
100 34.7M    0 34.7M    0     0  1863k      0 --:--:--  0:00:19 --:--:-- 1966k
unpacking source archive /build/7138a338b58713e0dea22ddab6a6785abec7376a.zip
error: moving build output '/nix/store/bqfq4db6nwycmkdrql9igsbrayqsw3g2-source' from the sandbox to the Nix store: Permission denied
(use '--show-trace' to show detailed location information)

Furthermore there is no /etc/nix/nix.conf. Is there an other way to set andbox = false beside /etc/nix/nix.conf?

I'm not certain off the top of my head whether nix-shell does support the sandbox option, but it looks like you entered sanbox instead. Can you confirm whether --option sandbox false does what you expect?

Edit: AFAIK you can just create the nix.conf and add the line to it.

Thank you for the quick response, @abathur.
Indeed nix-shell supports --option sandbox false as well.