mkdir fails with 'Operation not permitted' for some packages during build

[bea231]

For some reason when I run switch command it fails with

mkdir: cannot create directory `/nix/store/.../.app: Operation not permitted

> darwin-rebuild switch --flake .#${herewasmyhostname}
error: builder for '/nix/store/4bb41mi7yl7ah744z2fk91pln9zssl9h-vscode-1.96.4.drv' failed with exit code 1;
       last 9 log lines:
       > Running phase: unpackPhase
       > unpacking source archive /nix/store/l2q84fqhan3w1cz147771s1prdb3m05b-VSCode_1.96.4_darwin-arm64.zip
       > source root is Visual Studio Code.app
       > setting SOURCE_DATE_EPOCH to timestamp 1737019056 of file "Visual
       > Running phase: patchPhase
       > Running phase: updateAutotoolsGnuConfigScriptsPhase
       > Running phase: glibPreInstallPhase
       > Running phase: installPhase
       > mkdir: cannot create directory '/nix/store/gk7z1mxshdc5ka60f55fzpqal9821n20-vscode-1.96.4/Applications/Visual Studio Code.app': Operation not permitted
       For full logs, run 'nix log /nix/store/4bb41mi7yl7ah744z2fk91pln9zssl9h-vscode-1.96.4.drv'

The issue occurred for me with two packages at the time: vscode 1.96.4 and Raycast 1.90.0.

> nix --version
nix (Nix) 2.25.3

If I try to download a package source flake locally and include it with (pkgs.callPackage ./pkgs/raycast { }) for example, it starts working without errors.

[Samasaur1]

My first thought is that you might have auto-optimise-store on?

[bea231]

I didn't enable it in my config and in /etc/nix/nix.conf I have it disabled:

> cat /etc/nix/nix.conf
# WARNING: this file is generated from the nix.* options in
# your nix-darwin configuration. Do not edit it!
allowed-users = *
auto-optimise-store = false
build-users-group = nixbld
builders =
cores = 0
experimental-features = nix-command flakes
extra-nix-path = nixpkgs=flake:nixpkgs
extra-platforms = x86_64-darwin aarch64-darwin
extra-sandbox-paths =
max-jobs = auto
require-sigs = true
sandbox = false
sandbox-fallback = false
substituters = https://nix-community.cachix.org https://cache.nixos.org https://cache.flox.dev https://cache.nixos.org/
trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= flox-cache-public-1:7F4OyH7ZCnFhcze3fJdfyXYLQw/aV7GEed86nQ7IsOs= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
trusted-substituters =
trusted-users = artemii @admin root
experimental-features = nix-command flakes
builders-use-substitutes = true
build-use-substitutes = true

[bea231]

I think it may somehow be correlated with builders, because the only directories which have non-root owner are:

>ls -la /nix/store/ -g | grep "_nixbld"
drwxr-xr-x      - _nixbld1 nixbld  2 Feb 13:35  gk7z1mxshdc5ka60f55fzpqal9821n20-vscode-1.96.4
drwxr-xr-x      - _nixbld3 nixbld  2 Feb 11:04  j440dcc757sdc5alah6c1h1044v28mh1-yarn-cache

[bea231]

It seems like an overlay works like a workaround for some reason

vscode = prev.vscode.overrideAttrs (old: {
  installPhase = "whoami\n" + old.installPhase;
});