diff --git a/default.nix b/default.nix
index 3923cb9592b7..46f2d265216f 100644
--- a/default.nix
+++ b/default.nix
@@ -1,6 +1,6 @@
 let
 
-  fromEnv = name : default :
+  fromEnv = name: default:
     let env = builtins.getEnv name; in
     if env == "" then default else env;
   configuration = import (fromEnv "NIXOS_CONFIG" /etc/nixos/configuration.nix);
diff --git a/etc/default.nix b/etc/default.nix
index 448fa993d73b..c4cb68d94150 100644
--- a/etc/default.nix
+++ b/etc/default.nix
@@ -1,5 +1,5 @@
 { config, pkgs, upstartJobs, systemPath, wrapperDir
-, defaultShell, extraEtc, nixEnvVars, modulesTree, nssModulesPath
+, defaultShell, extraEtc, nixEnvVars, modulesTree, nssModulesPath, binsh
 }:
 
 let 
@@ -123,14 +123,27 @@ import ../helpers/make-etc.nix {
     }
 
     { # Nix configuration.
-      source = pkgs.writeText "nix.conf" ''
-        # WARNING: this file is generated.
-        build-users-group = nixbld
-        build-max-jobs = ${toString (config.nix.maxJobs)}
-        build-use-chroot = ${if config.nix.useChroot then "true" else "false"}
-        build-chroot-dirs = /dev /dev/pts /proc /bin
-        ${config.nix.extraOptions}
-      '';
+      source =
+        let
+          # Tricky: if we're using a chroot for builds, then we need
+          # /bin/sh in the chroot (our own compromise to purity).
+          # However, since /bin/sh is a symlink to some path in the
+          # Nix store, which furthermore has runtime dependencies on
+          # other paths in the store, we need the closure of /bin/sh
+          # in `build-chroot-dirs' - otherwise any builder that uses
+          # /bin/sh won't work.
+          refs = pkgs.writeReferencesToFile binsh;
+        in 
+          pkgs.runCommand "nix.conf" {} ''
+            cat > $out <<END
+            # WARNING: this file is generated.
+            build-users-group = nixbld
+            build-max-jobs = ${toString (config.nix.maxJobs)}
+            build-use-chroot = ${if config.nix.useChroot then "true" else "false"}
+            build-chroot-dirs = $(echo $(cat ${refs}))
+            ${config.nix.extraOptions}
+            END
+          '';
       target = "nix.conf"; # will be symlinked from /nix/etc/nix/nix.conf in activate-configuration.sh.
     }
 
diff --git a/system/activate-configuration.sh b/system/activate-configuration.sh
index fb4c6a91da65..e41e747e8566 100644
--- a/system/activate-configuration.sh
+++ b/system/activate-configuration.sh
@@ -50,7 +50,7 @@ done
 # Create the required /bin/sh symlink; otherwise lots of things
 # (notably the system() function) won't work.
 mkdir -m 0755 -p $mountPoint/bin
-ln -sfn @bash@/bin/sh $mountPoint/bin/sh
+ln -sfn @binsh@/bin/sh $mountPoint/bin/sh
 
 
 # Allow the kernel to find our wrapped modprobe (which searches in the
diff --git a/system/system.nix b/system/system.nix
index d4594a91b9cc..948b9a6a345d 100644
--- a/system/system.nix
+++ b/system/system.nix
@@ -116,7 +116,7 @@ rec {
   # The static parts of /etc.
   etc = import ../etc/default.nix {
     inherit config pkgs upstartJobs systemPath wrapperDir
-      defaultShell nixEnvVars modulesTree nssModulesPath;
+      defaultShell nixEnvVars modulesTree nssModulesPath binsh;
     extraEtc =
        (pkgs.lib.concatLists (map (job: job.extraEtc) upstartJobs.jobs))
     ++ config.environment.etc;
@@ -262,6 +262,10 @@ rec {
 
   defaultShell = "/var/run/current-system/sw/bin/bash";
 
+
+  # The shell that we want to use for /bin/sh.
+  binsh = pkgs.bashInteractive;
+
     
   # The script that activates the configuration, i.e., it sets up
   # /etc, accounts, etc.  It doesn't do anything that can only be done
@@ -270,8 +274,10 @@ rec {
     src = ./activate-configuration.sh;
     isExecutable = true;
 
-    inherit etc wrapperDir systemPath modprobe defaultShell kernel;
+    inherit etc wrapperDir systemPath modprobe defaultShell kernel binsh;
+    
     hostName = config.networking.hostName;
+    
     setuidPrograms =
       config.security.setuidPrograms ++
       config.security.extraSetuidPrograms ++
@@ -288,8 +294,6 @@ rec {
         pkgs.pwdutils
       ];
 
-    bash = pkgs.bashInteractive;
-
     adjustSetuidOwner = pkgs.lib.concatStrings (map 
       (_entry: let entry = {
         owner = "nobody";