New issue by Cloudef on void-packages repository

https://github.com/void-linux/void-packages/issues/35666

Description:
### System

* xuname:  Void 5.12.14_1 x86_64-musl AuthenticAMD uptodate rFFFF
* package:  nix-2.3.12_1

### Expected behavior

/etc/nix.conf should have sandbox on, and should build packages as expected in such isolated environment.

### Actual behavior

/etc/nix.conf has sandbox turned off by default, and it fails unexpectedly when turned on due to a misconfiguration with sandbox-paths. Nix mounts `/bin/sh` into the sandboxed namespace, but this binary is linked against musl libc and thus fails to work in such a sandboxed environment.

The workaround is to install busybox-static and edit sandbox-paths in /etc/nix.conf so that /bin/sh points to busybox.static instead.

### Steps to reproduce the behavior

1. Install nix and make sure sandboxing is turned on (restart daemon)
2. Use the following default.nix
```nix
{ pkgs ? import <nixpkgs> {} }:

pkgs.buildPackages.rustPlatform.buildRustPackage rec {
  pname = "diesel-cli-ext";
  version = "0.3.6";
  cargoSha256 = "1npmr1sy7d6gv7j3r8c03c7k7c9fv0kvipl96cm6g1c90qqba2hx";
  src = pkgs.fetchCrate {
    inherit version;
    crateName = "diesel_cli_ext";
    sha256 = "0zf98kydxgb9mc77x7r4d0vmkfzgi5h4h6n1dhpgq2if9ybyci0b";
  };
}
```
3. build will fail with misleading error:
```
tar (child): gzip: Cannot exec: No such file or directory
tar (child): Error is not recoverable: exiting now
```
4. strace reveals the tar actually does `/bin/sh -c gzip`