error: could not set permissions on '/nix/var/nix/profiles/per-user' to 755: Operation not permitted

[amckinlay]

After installing multi-user nix, the following error occurs when running nix-shell:

andrewmckinlay@imac ~ % nix-shell -p nix-info --run "nix-info -m"
error: could not set permissions on '/nix/var/nix/profiles/per-user' to 755: Operation not permitted

andrewmckinlay@imac ~ % ls -ld /nix/var/nix/profiles/per-user
drwxr-xr-x  3 root  staff  96 Mar 21 13:01 /nix/var/nix/profiles/per-user

[tombusby]

Having same issue since upgrading to osx 10.15.4

It broke my nix installation and I tried full reinstall, having this issue now.

Followed the workaround here:

#2925 (comment)

[tombusby]

Weird thing is, it's already 755:

Last login: Wed Mar 25 17:52:51 on ttys001
thomas.busby@Thomass-MacBook-Pro ~/.../kontrakcja/workspace/nix-ghc-8.6.5 % nix-shell -p nix-info --run "nix-info -m"
error: could not set permissions on '/nix/var/nix/profiles/per-user' to 755: Operation not permitted
thomas.busby@Thomass-MacBook-Pro ~/.../kontrakcja/workspace/nix-ghc-8.6.5 % cd /nix/var/nix/profiles/per-user
thomas.busby@Thomass-MacBook-Pro /nix/.../nix/profiles/per-user % ll
total 0
drwxr-xr-x  3 root  admin    96B 25 Mar 17:52 ./
drwxr-xr-x  6 root  admin   192B 25 Mar 17:52 ../
drwxr-xr-x  4 root  wheel   128B 25 Mar 17:52 root/
thomas.busby@Thomass-MacBook-Pro /nix/.../nix/profiles/per-user % cd ..
thomas.busby@Thomass-MacBook-Pro /nix/var/nix/profiles % ll
total 0
drwxr-xr-x  6 root  admin   192B 25 Mar 17:52 ./
drwxr-xr-x  8 root  admin   256B 25 Mar 17:52 ../
lrwxr-xr-x  1 root  admin    14B 25 Mar 17:52 default@ -> default-2-link
lrwxr-xr-x  1 root  admin    60B 25 Mar 17:52 default-1-link@ -> /nix/store/lpyk9jn33gzp8rsy3bvr1wi9bb323djc-user-environment
lrwxr-xr-x  1 root  admin    60B 25 Mar 17:52 default-2-link@ -> /nix/store/83jp9wdmba1m82qbvdl9kixk1nsf70cm-user-environment
drwxr-xr-x  3 root  admin    96B 25 Mar 17:52 per-user/
thomas.busby@Thomass-MacBook-Pro /nix/var/nix/profiles % cd ..
thomas.busby@Thomass-MacBook-Pro /nix/var/nix % ll
total 0
drwxr-xr-x  8 root  admin   256B 25 Mar 17:52 ./
drwxr-xr-x  4 root  admin   128B 25 Mar 17:51 ../
drwxr-xr-x  6 root  admin   192B 25 Mar 17:52 db/
-rw-------  1 root  admin     0B 25 Mar 17:52 gc.lock
drwxr-xr-x  3 root  admin    96B 25 Mar 17:51 gcroots/
drwxr-xr-x  6 root  admin   192B 25 Mar 17:52 profiles/
drwxr-xr-x  2 root  admin    64B 25 Mar 17:52 temproots/
drwxr-xr-x  3 root  admin    96B 25 Mar 17:52 userpool/
thomas.busby@Thomass-MacBook-Pro /nix/var/nix % cd ..
thomas.busby@Thomass-MacBook-Pro /nix/var % ll
total 0
drwxr-xr-x  4 root  admin   128B 25 Mar 17:51 ./
drwxr-xr-x  6 root  admin   192B 25 Mar 17:51 ../
drwxr-xr-x  3 root  admin    96B 25 Mar 17:51 log/
drwxr-xr-x  8 root  admin   256B 25 Mar 17:52 nix/
thomas.busby@Thomass-MacBook-Pro /nix/var % cd ..
thomas.busby@Thomass-MacBook-Pro /nix % ll
total 0
drwxr-xr-x   6 root  admin    192B 25 Mar 17:51 ./
drwxr-xr-x  22 root  admin    704B 25 Mar 16:48 ../
drwx------   4 root  wheel    128B 12 Feb 21:53 .Spotlight-V100/
d-wx--x--t   3 root  wheel     96B 12 Feb 21:53 .Trashes/
drwxrwxr-t  59 root  nixbld   1.8K 25 Mar 17:52 store/
drwxr-xr-x   4 root  admin    128B 25 Mar 17:51 var/
thomas.busby@Thomass-MacBook-Pro /nix %

[LnL7]

Is this also a multi-user install right?

What's the output of nix doctor and ls -la /nix/var/nix/db?

[tombusby]

Unfortunately, I just binned and it did a single-user install, which doesn't seem to suffer the same issue, so I can't assist further. But seems to be the latest Catalina update that was pushed out today that's done it, so I'm sure you'll be seeing plenty more soon.

[LnL7]

If you're referring to 10.15.4 19E266, works fine here.

[domenkozar]

I think this happens in multi-user installation if nix-daemon is not running (for example during a boot, restart, etc).

[domenkozar]

To reproduce on darwin:

1. install nix
2. change nix.conf and pkill nix-daemon
3. run quickly nix-build

Explanation: at step 3, nix-daemon is not yet up (takes a few seconds) and nix-build will fallback to client and try to ensure those directories are created, but fails to do so since it doesn't have permissions

[harendra-kumar]

I am wondering why it should change permissions on /nix/var/nix/profiles/per-user especially if they are already correct. That can be avoided.

[blast-hardcheese]

I had this issue as well, though it really did turn out to be that the nix-daemon wasn't running. No matter whether or not the chmod should have actually been attempted, without the daemon running I would likely have screwed something up further down the line if it had gotten past this point.

The chmod failure led me to this thread, so likely detecting a multi-user install and failing with an error message if the daemon is not running would be preferable.

[abathur]

When/if it lands, I think #4289 will fix enough of this that I'm going to mark it as closing this one (but I'll explain how and un-mark it if there's disagreement).

In the process of working on that PR and it's predecessor (#4181), which further complicate the install process, feedback made it (even more) obvious that the installer needs to carry more of the weight of smoothing out previous-install cruft.

While working on that functionality, I did a lot of uninstall/reinstall testing and ran into this issue occasionally. I made this change to try to fix it. My confidence in making the fix wasn't terribly high, but I haven't seen the issue recur since.

[mahi941333]

I am still facing this issue
could not set permissions on '/nix/var/nix/profiles/per-user' to 755: Operation not permitted
On Mac OS Big Sur.

[samuela]

I'm still getting this issue when inside nixos-enter sessions:

iso$ sudo nixos-enter
chroot-root# su skainswo
chroot-skainswo$ nix-channel --update
error: could not set permissions on '/nix/var/nix/profiles/per-user' to 755: Operation not permitted

I'm running the 21.05 minimal ISO in virtualbox.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/cant-run-nix-channel-update-in-nixos-enter-session/13551/1

[SimonTheLeg]

I am running into the original issue, where none of the nix-commands work on MacOS

nix-shell -p nix-info --run "nix-info -m"
error: could not set permissions on '/nix/var/nix/profiles/per-user' to 755: Operation not permitted

I guess I am in a bit of a special situation since I did have nix installed previously in single user mode, however I tried everything the installer tells you uninstall nix, before starting with the multi-user installation

Situation prior to the upgrade
Months ago I had created the unencrypted APFS volume for /nix and used the normal single user install, which worked perfectly for many months. For newer projects I was interested to switch to multi-user mode.

How I tried switching to multi-user mode

1. I ran

sh <(curl -L https://nixos.org/nix/install) --daemon

2. I followed the installers prompts to remove the old nix installation via

sudo rm -rf /etc/nix /nix /var/root/.nix-profile /var/root/.nix-defexpr /var/root/.nix-channels /Users/simonbein/.nix-profile /Users/simonbein/.nix-defexpr /Users/simonbein/.nix-channels

3. The installer prompted me to double check my /etc/bashrc and /etc/zshrc, which were in order and just required a rollback, which I did

/usr/bin/sudo /bin/mv /etc/bashrc.backup-before-nix /etc/bashrc
/usr/bin/sudo /bin/mv /etc/zshrc.backup-before-nix /etc/zshrc

4. On the next try the installer finishes successfully

I also repeated steps 1-4 running sh <(curl -L https://nixos.org/nix/install) --darwin-use-unencrypted-nix-store-volume --daemon, which yieled the same result

Additional info:

• Mac Version: 11.2.3
• nix doctor output

  nix doctor
  error: could not set permissions on '/nix/var/nix/profiles/per-user' to 755: Operation not permitted

• ls -la /nix/var/nix/db
  total 16504
  drwxr-xr-x  6 root  admin      192 Jun 11 11:37 .
  drwxr-xr-x  8 root  admin      256 Jun 11 11:36 ..
  -rw-------  1 root  admin        0 Jun 11 11:36 big-lock
  -rw-r--r--  1 root  admin    57344 Jun 11 11:37 db.sqlite
  -rw-------  1 root  admin  8388608 Jun 11 11:36 reserved
  -rw-r--r--  1 root  admin        2 Jun 11 11:36 schema

• ls -la /nix/var/nix/profiles
  total 0
  drwxr-xr-x  6 root  admin  192 Jun 11 11:36 .
  drwxr-xr-x  8 root  admin  256 Jun 11 11:36 ..
  lrwxr-xr-x  1 root  admin   14 Jun 11 11:36 default -> default-2-link
  lrwxr-xr-x  1 root  admin   60 Jun 11 11:36 default-1-link -> /nix/store/a1fcv441lrhgai6yizbcm8m0dg3hhgps-user-environment
  lrwxr-xr-x  1 root  admin   60 Jun 11 11:36 default-2-link -> /nix/store/kr5xl16f31kpa52dwfvrgysisyrg1rs6-user-environment
  drwxr-xr-x  3 root  admin   96 Jun 11 11:36 per-user

[abathur]

@SimonTheLeg Can you try the removal steps again, and then use the ~test installer mentioned in the Try it out section of #4289? (4289, which sands down a few of the sharp corners here, is merged but not yet released)

[SimonTheLeg]

That worked like a charm! Thank you so much for that change. Also the installer is really pleasant to use!

Now onto waiting until home-manager supports nix 2.4 I guess 😄
Edit: Nevermind. You can actually make it work with home manager, without much effort. I just forgot to add a channel for nixpkgs

nix-channel --add https://channels.nixos.org/nixpkgs-unstable nixpkgs
nix-channel --update

and then you can do the normal home-manager install

[peterbecich]

I fixed this the wasteful way by deleting /nix and re-installing.

[psuzzi]

I'm facing this issue too at the end of install, and when I try to run nix doctor

$ nix doctor
error: could not set permissions on '/nix/var/nix/profiles/per-user' to 755: Operation not permitted

I have a MacBook 2017 updated to MacOs Monterey (V. 12.1)

Any idea on how to fix this problem?

[kubukoz]

For anyone hitting this on darwin even after a full reinstall, try to unmount and delete the partition in Disk Utility and reboot before the reinstall. The reboot was the crucial step for me.

[lukatavcer]

I have installed it on Linux Mint, and I needed to completely remove Nix and reinstall it with the single user no-deamon version.
Uninstall nix

# Install Nix
sh <(curl -L https://nixos.org/nix/install) --no-daemon

[samuela]

I just encountered this issue again. This time on Ubuntu 18.04.6 after un-installing and re-installing Nix.

[samuela]

I just encountered this issue again. This time on Ubuntu 18.04.6 after un-installing and re-installing Nix.

Reboot fixed it for me 🤷

[mmuggli]

Just an anecdote that may help someone. I was experiencing this error when running macOS Monterey on an external drive. My macbook pro still had its internal factory SSD with Monterey also. On bootup, I was prompted to enter my password for the "Macintosh HD - Data" (internal) partition, which I provided. When I removed the factory SSD and moved my formerly external SSD to the macbook pro's motherboard, the command (nix-shell -p nix-info --run "nix-info -m") started working.

So in my case, the special nix volume and mounting may have been confused by the existence of additional APFS volumes mounted.

[domenkozar]

Folks are still hitting this issue: https://fosstodon.org/@[email protected]/109552234396262605

[fwip]

Just an anecdote that may help someone. I was experiencing this error when running macOS Monterey on an external drive. My macbook pro still had its internal factory SSD with Monterey also. On bootup, I was prompted to enter my password for the "Macintosh HD - Data" (internal) partition, which I provided. When I removed the factory SSD and moved my formerly external SSD to the macbook pro's motherboard, the command (nix-shell -p nix-info --run "nix-info -m") started working.

So in my case, the special nix volume and mounting may have been confused by the existence of additional APFS volumes mounted.

Just chiming in to say that I also experienced this issue, and have 2 additional APFS volumes on my laptop - one for Docker, and a case-sensitive volume that I do my coding work in. After rebooting, both the nix-shell -p nix-info --run "nix-info -m" command and nix doctor to function properly.

[Spongman]

I just got this, three years hence.

$ nix-shell
error: could not set permissions on '/nix/var/nix/profiles/per-user' to 755: Operation not permitted
$ nix doctor
error: could not set permissions on '/nix/var/nix/profiles/per-user' to 755: Operation not permitted

[Ericson2314]

On master we don't use this directory except for when being root, so I hope this can finally be closed for good soon.

[cryptorick]

I just got this, three years hence.

$ nix-shell
error: could not set permissions on '/nix/var/nix/profiles/per-user' to 755: Operation not permitted
$ nix doctor
error: could not set permissions on '/nix/var/nix/profiles/per-user' to 755: Operation not permitted

I got this same error when installing on a "new to me" Macbook running Ventura 13.3.1, when installing nix to an external drive (so I don't know if this is the same situation for most people here).

POINT OF INFORMATION: However, I had previously installed nix successfully and had no problems with nix-shell or nix doctor like this, but the default install scripts created a volume on the internal drive.

I bought an external drive to use for nix, because "mo' room" and more affordable than Apple. So, I cleaned up the nix droppings left by the default nix install, deleted the internal drive volume for nix, added a new volume for nix on the external, and restarted the nix install. Everything went fine during the install, but post install I got the above error messages. :(

After banging head on wall, short story is that all I had to do was go to System Settings > Privacy & Security > Full Disk Access and turn the switch on for the nix entry as you see the the screenshot below. Then, nix doctor gave me PASSes (and no errors of course), and all nix operations are working fine. I hope this helps someone. I had no idea about this.

[scottdotau]

I've had the same issue. I lazily re-installed nix (as I've only just started using it, started 'fresh') which meant removing /nix, *.backup-before-nix, /etc/nix/nix.conf and XDG nix directories.

I notably didn't remove the systemd services (hence lazily).

Reinstalled using multi-user script, and started receiving same error for non-root users.

Came here, read comments etc and issued sudo systemctl daemon-reexec which fixed it (and why a restart will too).

I think it's due to the nix-daemon.service file which includes a line similar to:

ExecStart=@/nix/store/snsjmpdb8hs4jfp82wiykkbb9667rywr-nix-2.16.1/bin/nix-daemon nix-daemon --daemon

Which I'm assuming can change on a reinstall (like mine) as that path may not exist and not be loaded with a simple systemctl restart nix-daemon.service

Then again I have nfi how nix-daemon interacts, though I'm assuming as it's a requirement for multi-user, users probably depend on it whereas root user doesn't (as they have global perms).

I didn't try sudo systemctl daemon-reload which might do the job too?

TLDR:
Try sudo systemctl daemon-reload, if nothing, try sudo systemctl daemon-reexec

TLDR2: you may have to systemctl enable and systemctl start the nix-daemon.service, too, after running into this a second time!

[samuela]

Perhaps we should split this issue out into separate linux/macOS versions? I've personally encountered this error on both. Not sure if the pathogenesis is the same between them however?

[samuela]

FWIW I'm also not convinced that this error is caused by nix-daemon being inactive. I have found that eg

cs-tze7x4cv-light-gpu-homedir-721859% sudo systemctl start nix-daemon
cs-tze7x4cv-light-gpu-homedir-721859% sudo systemctl status nix-daemon
● nix-daemon.service - Nix Daemon
     Loaded: loaded (/etc/systemd/system/nix-daemon.service; linked; vendor preset: enabled)
     Active: active (running) since Tue 2023-07-18 19:56:31 PDT; 8s ago
TriggeredBy: ● nix-daemon.socket
       Docs: man:nix-daemon
             https://nixos.org/manual
   Main PID: 6648 (nix-daemon)
      Tasks: 2 (limit: 72305)
     Memory: 3.8M
     CGroup: /system.slice/nix-daemon.service
             └─6648 nix-daemon --daemon

Jul 18 19:56:31 cs-tze7x4cv-light-gpu-homedir-721859 systemd[1]: Started Nix Daemon.
cs-tze7x4cv-light-gpu-homedir-721859% nix doctor
error: could not set permissions on '/nix/var/nix/profiles/per-user' to 755: Operation not permitted

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/install-not-working-on-fresh-ubuntu-20-04-machine/30662/1

[samuela]

Not sure if this is kosher but I hacked my way around this with

sudo chown --recursive "$USER" /nix

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/install-not-working-on-fresh-ubuntu-20-04-machine/30662/6

[scottdotau]

Not sure if this is kosher but I hacked my way around this with

sudo chown --recursive "$USER" /nix

This will fix it for both you and root, however no other user in a multi-user environment (and possibly not allow other users to use Nix at all, without knowledge of how Nix works behind the scenes).

If this solution works for you, that's great but wouldn't installing for a single user be a better option?

Permission errors are probably one of the most common issues when it comes to any application (especially in linux). I wouldn't be surprised if this issue contains multiple variants, possibly caused by completely separate issues!

I'm just gonna give a simple possible solution to the issue I described here:

1. Does nix-daemon.serivice exist?
2. If yes, get and store hash from file (ExecStart). No? Proceed to 6
3. Install nix/etc.
4. Get latest nix-daemon hash.
5. Compare old hash vs new, replace in service file if updated.
6. Create/update service file with location to nix-daemon
7. If changed, reload service

[samuela]

If this solution works for you, that's great but wouldn't installing for a single user be a better option?

I tried doing a single-user install, but found that didn't work successfully either :/

[ditsuke]

I get this when trying to use an alternative --store with --eval-store=local

❯ nix build --eval-store local --store $PWD/tmpstore
error: could not set permissions on '/nix/var/nix/profiles/per-user' to 755: Operation not permitted

Interestingly it goes away with --eval-store=auto

[drupol]

Got the same issue while working in a Coder environment, fixed by doing sudo chown --recursive "$USER" /nix.

[heimalne]

If this solution works for you, that's great but wouldn't installing for a single user be a better option?

I tried doing a single-user install, but found that didn't work successfully either :/

I get the same error when running Nix in single-user mode inside a Gitlab job where only non-root access/user is allowed. The issue in Gitlab is that a user id is chosen randomly per job so you cannot prepare the rights for a single user. So
sudo chown --recursive "$USER" /nix beforehand doesn't work here. Any other workarounds?

[x-mass]

If you are using macOS server with no GUI, refer to this post to set VNC remote desktop to allow full disk access in settings. I did not figure out how to do this via ssh session (if you know the way, let me know).
https://repost.aws/knowledge-center/ec2-mac-instance-gui-access

The problem arises from macOS launchd daemons' restrictions. Since nix-daemon is one of them, it is subject to sandboxing. If you check the logs (less /var/log/nix-daemon.log), you'll see periodic error messages as file system sandbox blocked open(). You could manually run the daemon after unloading the module

sudo launchctl unload /Library/LaunchDaemons/org.nixos.nix-daemon.plist
sudo /nix/var/nix/profiles/default/bin/nix-daemon

to make sure the issue is gone and nix config check executes successfully when not inside sandbox.

[PlumpMath]

Is there a way to install macOS and the Nix daemon on the Mac’s original hard drive as usual, but install all additional Nix stores on an external hard drive? On Linux systems other than NixOS, I’ve been solving this issue by moving the Nix store to another location and running the following script at every reboot:

mkdir -pv /nix
mount --bind /home/user/new-nix-store /nix

I hope that a similar solution could resolve the multi-user issue on macOS. To achieve this, we might need a way to bypass mounting /nix on a new volume of APFS. Does anyone know how to do this?

If such an option is added to the Nix installer for macOS, it would perfectly solve the issue.

[DavidPesticcio]

FYI: The per-user user directories should be owned by the user themself - see below.

Action	command
To create	sudo mkdir $USER /nix/var/nix/{profiles,gcroots}/per-user/$USER
To set owner	sudo chown $USER /nix/var/nix/{profiles,gcroots}/per-user/$USER
To verify	ls -ld /nix/var/nix/{profiles,gcroots}/per-user/$USER

For more info see: nix-community/nix-direnv#327 (comment)

You may also see errors like the ones below, highlighted with <YOUR-USERNAME> - which can be resolved with the commands above:

$ home-manager -f ./home.nix switch 
/nix/store/wckka8fxv4h5hp74cbkhaw3fw7kbvcs1-bash-5.2p26/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_GB.UTF-8)
warning: In a derivation named 'neovim-unwrapped-0.9.5', 'structuredAttrs' disables the effect of the derivation attribute 'disallowedRequisites'; use 'outputChecks.<output>.disallowedRequisites' instead
/nix/store/lyqz182y30wj8z5zjm64nkpan5rwm1vq-home-manager-generation
/nix/store/wckka8fxv4h5hp74cbkhaw3fw7kbvcs1-bash-5.2p26/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_GB.UTF-8)
Starting Home Manager activation
Activating checkFilesChanged
Activating checkLinkTargets
bash: warning: setlocale: LC_ALL: cannot change locale (en_GB.UTF-8)
Activating writeBoundary
Activating createGpgHomedir
Activating installPackages
nix profile remove /nix/store/4vsmdahg7d7nasshmwpf5vacggy58zpi-home-manager-path
removing 'home-manager-path'
error: filesystem error: cannot create symlink: Permission denied [/nix/store/c0dj6b3247lhr4y7vj1d54a7mfzx9iv2-profile] [/nix/var/nix/profiles/per-user/<YOUR-USERNAME>/profile-235-link.tmp-1035293-537821228]
error: filesystem error: cannot create symlink: Permission denied [/nix/store/0ag35zgacrazdd1dfdr8jgbaazn111jy-profile] [/nix/var/nix/profiles/per-user/<YOUR-USERNAME>/profile-235-link.tmp-1035306-662586913]

Oops, Nix failed to install your new Home Manager profile!

Perhaps there is a conflict with a package that was installed using
"nix profile install"? Try running

    nix profile list

and if there is a conflicting package you can remove it with

    nix profile remove {number | store path}

Then try activating your Home Manager configuration again.

nix profile remove /nix/store/4vsmdahg7d7nasshmwpf5vacggy58zpi-home-manager-path
removing 'home-manager-path'
error: filesystem error: cannot create symlink: Permission denied [/nix/store/c0dj6b3247lhr4y7vj1d54a7mfzx9iv2-profile] [/nix/var/nix/profiles/per-user/<YOUR-USERNAME>/profile-235-link.tmp-1039582-1314763823]

[PlumpMath]

solved

#10421 (comment)

[nusendra]

nix profile list

this solve my problem. Thanks much

[bmillwood]

FWIW, I hit this issue on Linux after I deliberately killed the nix-daemon because I was trying to test my own hand-compiled nix, and I couldn't figure out any other way to get it to stop using the daemon. I think it's basically quite reasonable that I have to use nix commands with sudo in this case, but it's still odd to get an error message about setting these permissions when they are already set that way.