Describe the bug

Say that we have a script located in /nix/store, such as /nix/store/j9ganj7whk9zsq6cjid16cb6h7n4bck7-hello. Running patchShebangs against the script will invoke sed to patch the interpreter paths. sed -i will create a temporary file under the same parent directory as the input file; in this case, this is in /nix/store. sed fails with a permission error if the sandbox is enabled on Darwin:

patching script interpreter paths in /nix/store/j9ganj7whk9zsq6cjid16cb6h7n4bck7-hello
/nix/store/j9ganj7whk9zsq6cjid16cb6h7n4bck7-hello: interpreter directive changed from "#!/usr/bin/env bash" to "/nix/store/ym80z3f4nq5p8sp5vfch39x55x2rfwpz-bash-5.2p32/bin/bash"
sed: couldn't open temporary file /nix/store/sedOYQ2Wi: Operation not permitted

I believe this is due to the sandbox profile not allowing the creation of files under /nix/store. Running nix build with --debug dumps the sandbox profile: https://gist.github.com/al3xtjames/7a01839dee4f369bebdc9542772b532b#file-sandbox-log

I'm not sure if this should be treated a Nix/Lix bug and fixed by updating the sandbox profile or if it should be fixed in nixpkgs. patchShebangs could be updated to pass a temporary file to sed -i, which would avoid creating temporary files in /nix/store.

Steps To Reproduce

Steps to reproduce the behavior:

1. Observe the build fail with nix build 'git+https://gist.github.com/al3xtjames/7a01839dee4f369bebdc9542772b532b' --no-write-lock-file --debug --option sandbox true
2. Observe the build succeed with nix build 'git+https://gist.github.com/al3xtjames/7a01839dee4f369bebdc9542772b532b' --no-write-lock-file --debug --option sandbox false

Expected behavior

The build should succeed with the sandbox enabled.

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

I ran into this while rebuilding neovim, specifically while building neovim-ruby-env. gen-stubs-script uses a similar pattern with patchShebangs, which fails with the same permission error:

Notify maintainers

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
fetching github input 'github:NixOS/nixpkgs/nixpkgs-unstable'
 - system: `"x86_64-darwin"`
 - host os: `Darwin 23.6.0, macOS 10.16`
 - multi-user?: `yes`
 - sandbox: `relaxed`
 - version: `nix-env (Lix, like Nix) 2.91.0
System type: x86_64-darwin
Additional system types:
Features: gc, signed-caches
System configuration file: /etc/nix/nix.conf
User configuration files: /Users/alex/.config/nix/nix.conf:/Users/alex/.nix-profile/etc/xdg/nix/nix.conf:/etc/profiles/per-user/alex/etc/xdg/nix/nix.conf:/run/current-system/sw/etc/xdg/nix/nix.conf:/nix/var/nix/profiles/default/etc/xdg/nix/nix.conf
Store directory: /nix/store
State directory: /nix/var/nix
Data directory: /nix/store/qxhix72k2armql0w8ypm6yb9k2nv3cjp-lix-2.91.0/share`
 - nixpkgs: `/nix/store/x76i82ichcxssszb5i0ppzlmffms9iyk-source`

Add a 👍 reaction to issues you find important.