Fix --no-sandbox

When sandboxing is disabled, we cannot put $TMPDIR underneath an
inaccessible directory.

src/libstore/unix/build/local-derivation-goal.cc

@@ -503,9 +503,14 @@ void LocalDerivationGoal::startBuilder()
 
     /* Create a temporary directory where the build will take
        place. */
-    auto parentTmpDir = createTempDir(settings.buildDir.get().value_or(""), "nix-build-" + std::string(drvPath.name()), false, false, 0700);
+    tmpDir = createTempDir(settings.buildDir.get().value_or(""), "nix-build-" + std::string(drvPath.name()), false, false, 0700);
-    tmpDir = parentTmpDir + "/build";
+    if (useChroot) {
-    createDir(tmpDir, 0700);
+        /* If sandboxing is enabled, put the actual TMPDIR underneath
+           an inaccessible root-owned directory, to prevent outside
+           access. */
+        tmpDir = tmpDir + "/build";
+        createDir(tmpDir, 0700);
+    }
     chownToBuilder(tmpDir);
 
     for (auto & [outputName, status] : initialOutputs) {

tests/functional/check.sh

@@ -46,7 +46,10 @@ test_custom_build_dir() {
       --no-out-link --keep-failed --option build-dir "$TEST_ROOT/custom-build-dir" 2> $TEST_ROOT/log || status=$?
   [ "$status" = "100" ]
   [[ 1 == "$(count "$customBuildDir/nix-build-"*)" ]]
-  local buildDir="$customBuildDir/nix-build-"*"/build"
+  local buildDir="$customBuildDir/nix-build-"*""
+  if [[ -e $buildDir/build ]]; then
+      buildDir=$buildDir/build
+  fi
   grep $checkBuildId $buildDir/checkBuildId
 }
 test_custom_build_dir