fetchzip: get write permission on unpacked directory

This is a workaround for NixOS/nix#4295, which caused single-user Linux Nix installations using sandboxed builds to start failing to build fetchzip derivations after 4a5c49363a. In short: removing write permissions for the entire directory is great, except we then can't rename(2) it to the final Nix store path out of the sandbox, because we don't have write permission on the directory and thus cannot update the ".." directory entry.
4 years ago · 1f6d750097
parent 35a5eb9d2c
commit 1f6d750097
1 changed files with 7 additions and 0 deletions
--- a/pkgs/build-support/fetchzip/default.nix
+++ b/pkgs/build-support/fetchzip/default.nix
@ -48,8 +48,15 @@
    + extraPostFetch
    # Remove write permissions for files unpacked with write bits set
    # Fixes https://github.com/NixOS/nixpkgs/issues/38649
+    #
+    # However, we should (for the moment) retain write permission on the directory
+    # itself, to avoid tickling https://github.com/NixOS/nix/issues/4295 in
+    # single-user Nix installations. This is because in sandbox mode we'll try to
+    # move the path, and if we don't have write permissions on the directory,
+    # then we can't update the ".." entry.
    + ''
      chmod -R a-w "$out"
+      chmod u+w "$out"
    '';
 } // removeAttrs args [ "stripRoot" "extraPostFetch" ])).overrideAttrs (x: {
  # Hackety-hack: we actually need unzip hooks, too