[ISSUE] nix: do not disable sandbox by default

[ISSUE] nix: do not disable sandbox by default

[Cloudef]

[-- Attachment #1: Type: text/plain, Size: 1574 bytes --]

New issue by Cloudef on void-packages repository

https://github.com/void-linux/void-packages/issues/35666

Description:
### System

* xuname:  Void 5.12.14_1 x86_64-musl AuthenticAMD uptodate rFFFF
* package:  nix-2.3.12_1

### Expected behavior

/etc/nix.conf should have sandbox on, and should build packages as expected in such isolated environment.

### Actual behavior

/etc/nix.conf has sandbox turned off by default, and it fails unexpectedly when turned on due to a misconfiguration with sandbox-paths. Nix mounts `/bin/sh` into the sandboxed namespace, but this binary is linked against musl libc and thus fails to work in such a sandboxed environment.

The workaround is to install busybox-static and edit sandbox-paths in /etc/nix.conf so that /bin/sh points to busybox.static instead.

### Steps to reproduce the behavior

1. Install nix and make sure sandboxing is turned on (restart daemon)
2. Use the following default.nix
```nix
{ pkgs ? import <nixpkgs> {} }:

pkgs.buildPackages.rustPlatform.buildRustPackage rec {
  pname = "diesel-cli-ext";
  version = "0.3.6";
  cargoSha256 = "1npmr1sy7d6gv7j3r8c03c7k7c9fv0kvipl96cm6g1c90qqba2hx";
  src = pkgs.fetchCrate {
    inherit version;
    crateName = "diesel_cli_ext";
    sha256 = "0zf98kydxgb9mc77x7r4d0vmkfzgi5h4h6n1dhpgq2if9ybyci0b";
  };
}
```
3. build will fail with misleading error:
```
tar (child): gzip: Cannot exec: No such file or directory
tar (child): Error is not recoverable: exiting now
```
4. strace reveals the tar actually does `/bin/sh -c gzip` 

Re: nix: do not disable sandbox by default

[Cloudef]

[-- Attachment #1: Type: text/plain, Size: 276 bytes --]

New comment by Cloudef on void-packages repository

https://github.com/void-linux/void-packages/issues/35666#issuecomment-1043187650

Comment:
I also filled bug in nix as nix probably should detect this kind of misconfiguration early: https://github.com/NixOS/nix/issues/6113

Re: nix: do not disable sandbox by default

[github-actions]

[-- Attachment #1: Type: text/plain, Size: 293 bytes --]

New comment by github-actions[bot] on void-packages repository

https://github.com/void-linux/void-packages/issues/35666#issuecomment-1165111442

Comment:
Issues become stale 90 days after last activity and are closed 14 days after that.  If this issue is still relevant bump it or assign it.

Re: nix: do not disable sandbox by default

[Cloudef]

[-- Attachment #1: Type: text/plain, Size: 158 bytes --]

New comment by Cloudef on void-packages repository

https://github.com/void-linux/void-packages/issues/35666#issuecomment-1165202244

Comment:
Still relevant

Re: nix: do not disable sandbox by default

[github-actions]

[-- Attachment #1: Type: text/plain, Size: 293 bytes --]

New comment by github-actions[bot] on void-packages repository

https://github.com/void-linux/void-packages/issues/35666#issuecomment-1256834988

Comment:
Issues become stale 90 days after last activity and are closed 14 days after that.  If this issue is still relevant bump it or assign it.

Re: nix: do not disable sandbox by default

[Cloudef]

[-- Attachment #1: Type: text/plain, Size: 158 bytes --]

New comment by Cloudef on void-packages repository

https://github.com/void-linux/void-packages/issues/35666#issuecomment-1256880179

Comment:
Still relevant

Re: nix: do not disable sandbox by default

[github-actions]

[-- Attachment #1: Type: text/plain, Size: 293 bytes --]

New comment by github-actions[bot] on void-packages repository

https://github.com/void-linux/void-packages/issues/35666#issuecomment-1364610920

Comment:
Issues become stale 90 days after last activity and are closed 14 days after that.  If this issue is still relevant bump it or assign it.