external-derivation-builder: run under build user, chown topTmpDir to builder

The chown to builder is necessary for granting the builder the ability to
access its entire ancestry (which is required on macOS for things like
mounting the build directory into a VM to work) while running under a
build user.

Eelco mentioned that the reason topTmpDir is generally 700 is because of
how the Linux chroot is setup, but since we do not use a chroot on macOS,
it's fine to make the build dir readable to the build user.

src/libstore/unix/build/external-derivation-builder.cc

@@ -29,9 +29,7 @@ struct ExternalDerivationBuilder : DerivationBuilderImpl
 
     bool prepareBuild() override
     {
-        // External builds don't use build users, so this always
-        // succeeds.
-        return true;
+        return DerivationBuilderImpl::prepareBuild();
     }
 
     Path tmpDirInSandbox() override
@@ -49,7 +47,12 @@ struct ExternalDerivationBuilder : DerivationBuilderImpl
 
     void prepareUser() override
     {
-        // Nothing to do here since we don't have a build user.
+        DerivationBuilderImpl::prepareUser();
+    }
+
+    void setUser() override
+    {
+        DerivationBuilderImpl::setUser();
     }
 
     void checkSystem() override
@@ -103,6 +106,10 @@ struct ExternalDerivationBuilder : DerivationBuilderImpl
 
                 args.insert(args.end(), jsonFile);
 
+                chownToBuilder(topTmpDir);
+
+                setUser();
+
                 debug("executing external builder: %s", concatStringsSep(" ", args));
                 execv(externalBuilder.program.c_str(), stringsToCharPtrs(args).data());