"Path ... world-writable or a symlink" error message is very confusing

[dramforever]

Describe the bug

In 2.30, build-dir now defaults to /nix/var/nix/builds, and a check is added to make sure none of the components are world writable. However, the error message simply says:

error: Path /nix/var/nix/builds or a parent directory is world-writable or a symlink. That's not allowed for security.

I have found three users in the wild running into this error and at a complete loss of what to do to fix this, assuming that it must be a horrible regression with Nix. Turns out:

• Two of them have / mounted as tmpfs but forgot to specify a mode, leaving it as 1777
• Another user is running a non-standard non-NixOS setup which for some reason has / as mode 0777

It turns out even for moderately experienced Linux users it is not entirely obvious how to get the mode of the root directory. ls -l / shows the contents and does not tell you about the permissions on the root dir itself. You have to use ls -la / which shows root as ., or ls -ld which shows the root on its own.

A better message (such as one pointing out the path and permissions of the exact problematic path) would help users of Nix 2.30 better understand what is wrong.

Steps To Reproduce

• Accidentally mount tmpfs as root without specifying mode=0755, so the mode defaults to 1777
• Try to use Nix basically

Expected behavior

Some useful error message pointing to the fact that / has an insecure mode

Metadata

Nix >= 2.30

Additional context

Checklist

• checked latest Nix manual (source)
• checked open bug issues and pull requests for possible duplicates

---

Add 👍 to issues you find important.

[xokdvium]

Discussed during team meeting:

Error messages can be improved:

nix/src/libstore/unix/build/derivation-builder.cc

Lines 710 to 712 in 0175f7e

	if (buildUser && !checkNotWorldWritable(buildDir))
	throw Error(
	"Path %s or a parent directory is world-writable or a symlink. That's not allowed for security.", buildDir);

It's just a matter of adding more context from here:

nix/src/libstore/unix/build/derivation-builder.cc

Lines 654 to 665 in 0175f7e

	static bool checkNotWorldWritable(std::filesystem::path path)
	{
	while (true) {
	auto st = lstat(path);
	if (st.st_mode & S_IWOTH)
	return false;
	if (path == path.parent_path())
	break;
	path = path.parent_path();
	}
	return true;
	}

[nickbanderson]

FYI, I ran into this while installing nixos fresh via the graphical installer from an ISO (nixos-graphical-25.11pre...-x86_64-linux). I had to remove write permission from "all" on /tmp in order to finish the install. Not something I expected to have to do, but it worked in the end.

[xokdvium]

fresh via the graphical installer from an ISO

Is that something the graphical installer sets up by default? If yes then this seems like a bug in the installer and that needs to be filed in nixpkgs issue tracker.

[Mic92]

It's still unclear to me where we check the permissions for /tmp/.

[Mic92]

fresh via the graphical installer from an ISO

Is that something the graphical installer sets up by default? If yes then this seems like a bug in the installer and that needs to be filed in nixpkgs issue tracker.

/tmp/ should be world-writeable. it's also the case on my system, so I don't know why nix only causes this issue in that case.

[Mic92]

FYI, I ran into this while installing nixos fresh via the graphical installer from an ISO (nixos-graphical-25.11pre...-x86_64-linux). I had to remove write permission from "all" on /tmp in order to finish the install. Not something I expected to have to do, but it worked in the end.

Do you have more concrete errors in mind that came up?

[Mic92]

As @xokdvium suggested we could just change the build-dir option when running nix in the chroot store. This sounds like a good fix.