LnL7
mkdir fails with 'Operation not permitted' for some packages during build
For some reason when I run switch command it fails with
mkdir: cannot create directory `/nix/store/.../.app: Operation not permitted
> darwin-rebuild switch --flake .#${herewasmyhostname}
error: builder for '/nix/store/4bb41mi7yl7ah744z2fk91pln9zssl9h-vscode-1.96.4.drv' failed with exit code 1;
last 9 log lines:
> Running phase: unpackPhase
> unpacking source archive /nix/store/l2q84fqhan3w1cz147771s1prdb3m05b-VSCode_1.96.4_darwin-arm64.zip
> source root is Visual Studio Code.app
> setting SOURCE_DATE_EPOCH to timestamp 1737019056 of file "Visual
> Running phase: patchPhase
> Running phase: updateAutotoolsGnuConfigScriptsPhase
> Running phase: glibPreInstallPhase
> Running phase: installPhase
> mkdir: cannot create directory '/nix/store/gk7z1mxshdc5ka60f55fzpqal9821n20-vscode-1.96.4/Applications/Visual Studio Code.app': Operation not permitted
For full logs, run 'nix log /nix/store/4bb41mi7yl7ah744z2fk91pln9zssl9h-vscode-1.96.4.drv'
The issue occurred for me with two packages at the time: vscode 1.96.4 and Raycast 1.90.0.
> nix --version
nix (Nix) 2.25.3
If I try to download a package source flake locally and include it with (pkgs.callPackage ./pkgs/raycast { }) for example, it starts working without errors.
I didn't enable it in my config and in /etc/nix/nix.conf I have it disabled:
> cat /etc/nix/nix.conf
# WARNING: this file is generated from the nix.* options in
# your nix-darwin configuration. Do not edit it!
allowed-users = *
auto-optimise-store = false
build-users-group = nixbld
builders =
cores = 0
experimental-features = nix-command flakes
extra-nix-path = nixpkgs=flake:nixpkgs
extra-platforms = x86_64-darwin aarch64-darwin
extra-sandbox-paths =
max-jobs = auto
require-sigs = true
sandbox = false
sandbox-fallback = false
substituters = https://nix-community.cachix.org https://cache.nixos.org https://cache.flox.dev https://cache.nixos.org/
trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= flox-cache-public-1:7F4OyH7ZCnFhcze3fJdfyXYLQw/aV7GEed86nQ7IsOs= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
trusted-substituters =
trusted-users = artemii @admin root
experimental-features = nix-command flakes
builders-use-substitutes = true
build-use-substitutes = true
I think it may somehow be correlated with builders, because the only directories which have non-root owner are:
>ls -la /nix/store/ -g | grep "_nixbld"
drwxr-xr-x - _nixbld1 nixbld 2 Feb 13:35 gk7z1mxshdc5ka60f55fzpqal9821n20-vscode-1.96.4
drwxr-xr-x - _nixbld3 nixbld 2 Feb 11:04 j440dcc757sdc5alah6c1h1044v28mh1-yarn-cache
It seems like an overlay works like a workaround for some reason
vscode = prev.vscode.overrideAttrs (old: {
installPhase = "whoami\n" + old.installPhase;
});
I had the same issue right after upgrading my Mac and using native nix installer (vs determinate previously). I've added nix to the "allow full disk access" security list and it worked. I didn't use the overlay.
Same issue, after I uninstalled the nix followed by this tutorial. If I install any package which will be placed $out/Applications, it will case Operation not permitted error, such as VSCode. Any Updates here ?
It seems like an overlay works like a workaround for some reason
vscode = prev.vscode.overrideAttrs (old: { installPhase = "whoami\n" + old.installPhase; });
wow, same as you, I don't know why, but it works for me too.
I've used the same trick as @AutomationD and it worked for me. On my end, I had uninstalled nix from nixos and installed it again from determinate.
On my end, I had uninstalled
nixfromnixosand installed it again from determinate.
same here!
my nix install got borked and i got curious, uninstalled and re-installed the determinate distribution with lazy trees.
to fix, i went to System Settings → Privacy & Security → Full Disk Access and enabled determinate-nixd.
unclear why i wasn't prompted to give it permission earlier, macos permissions are sometime funny like that, though.
