diff --git a/modules/programs/default.nix b/modules/programs/default.nix
index f9115671b..f97615e69 100644
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -353,8 +353,8 @@ let
         message = "program ${name} specified no `sandbox.method`; please configure a method, or set sandbox.enable = false.";
       }
       {
-        assertion = (p.net == "clearnet") || p.sandbox.method != null;
-        message = ''program "${name}" requests net "${p.net}", which requires sandboxing, but sandboxing was disabled'';
+        assertion = p.net == "clearnet" || p.sandbox.method != null;
+        message = ''program "${name}" requests net "${p.net}", which requires sandboxing, but sandboxing wasn't configured'';
       }
     ] ++ builtins.map (sug: {
       assertion = cfg ? "${sug}";
@@ -470,7 +470,7 @@ in
       type = types.bool;
       default = false;
       description = ''
-        whether to require that every `sane.program` explicitly specify its sandbox settings
+        whether to require that every `sane.program` explicitly specify its sandbox settings.
       '';
     };
   };
diff --git a/modules/programs/make-sandboxed.nix b/modules/programs/make-sandboxed.nix
index b233efaa6..6067e6677 100644
--- a/modules/programs/make-sandboxed.nix
+++ b/modules/programs/make-sandboxed.nix
@@ -136,7 +136,8 @@ let
         # ensuring that every binary has in fact been wrapped.
         _numExec=0
         for b in ${packageWrapped}/bin/*; do
-          PATH="$PATH:${packageWrapped}/bin:${sane-sandboxed}/bin" \
+          echo "checking if $b is sandboxed"
+          PATH="${packageWrapped}/bin:${sane-sandboxed}/bin:$PATH" \
             SANE_SANDBOX_DISABLE=1 \
             "$b" --sane-sandbox-replace-cli echo "printing for test" \
             | grep "printing for test"