ci: create and use non-root user for docker image

Running all commands as the root user in the docker image
will change local file permissions in the ci and depends directory.

Add a non-root user to the container and use this user whenever
possible when running docker exec commands.

ci/test/04_install.sh

@@ -27,6 +27,11 @@ export P_CI_DIR="$PWD"
 
 if [ -z "$DANGER_RUN_CI_ON_HOST" ]; then
   echo "Creating $DOCKER_NAME_TAG container to run in"
+  LOCAL_UID=$(id -u)
+  LOCAL_GID=$(id -g)
+
+  # the name isn't important, so long as we use the same UID
+  LOCAL_USER=nonroot
   ${CI_RETRY_EXE} docker pull "$DOCKER_NAME_TAG"
 
   if [ -n "${RESTART_CI_DOCKER_BEFORE_RUN}" ] ; then
@@ -44,34 +49,47 @@ if [ -z "$DANGER_RUN_CI_ON_HOST" ]; then
                   --env-file /tmp/env \
                   --name $CONTAINER_NAME \
                   $DOCKER_NAME_TAG)
-  export DOCKER_CI_CMD_PREFIX="docker exec $DOCKER_ID"
+
+  # Create a non-root user inside the container which matches the local user.
+  #
+  # This prevents the root user in the container modifying the local file system permissions
+  # on the mounted directories
+  docker exec "$DOCKER_ID" useradd -u "$LOCAL_UID" -o -m "$LOCAL_USER"
+  docker exec "$DOCKER_ID" groupmod -o -g "$LOCAL_GID" "$LOCAL_USER"
+  docker exec "$DOCKER_ID" chown -R "$LOCAL_USER":"$LOCAL_USER" "${BASE_ROOT_DIR}"
+  export DOCKER_CI_CMD_PREFIX_ROOT="docker exec -u 0 $DOCKER_ID"
+  export DOCKER_CI_CMD_PREFIX="docker exec -u $LOCAL_UID $DOCKER_ID"
 else
   echo "Running on host system without docker wrapper"
 fi
 
 CI_EXEC () {
   $DOCKER_CI_CMD_PREFIX bash -c "export PATH=$BASE_SCRATCH_DIR/bins/:\$PATH && cd \"$P_CI_DIR\" && $*"
 }
+CI_EXEC_ROOT () {
+  $DOCKER_CI_CMD_PREFIX_ROOT bash -c "export PATH=$BASE_SCRATCH_DIR/bins/:\$PATH && cd \"$P_CI_DIR\" && $*"
+}
 export -f CI_EXEC
+export -f CI_EXEC_ROOT
 
 if [ -n "$DPKG_ADD_ARCH" ]; then
-  CI_EXEC dpkg --add-architecture "$DPKG_ADD_ARCH"
+  CI_EXEC_ROOT dpkg --add-architecture "$DPKG_ADD_ARCH"
 fi
 
 if [[ $DOCKER_NAME_TAG == *centos* ]]; then
-  ${CI_RETRY_EXE} CI_EXEC dnf -y install epel-release
-  ${CI_RETRY_EXE} CI_EXEC dnf -y --allowerasing install "$DOCKER_PACKAGES" "$PACKAGES"
+  ${CI_RETRY_EXE} CI_EXEC_ROOT dnf -y install epel-release
+  ${CI_RETRY_EXE} CI_EXEC_ROOT dnf -y --allowerasing install "$DOCKER_PACKAGES" "$PACKAGES"
 elif [ "$CI_USE_APT_INSTALL" != "no" ]; then
   if [[ "${ADD_UNTRUSTED_BPFCC_PPA}" == "true" ]]; then
     # Ubuntu 22.04 LTS and Debian 11 both have an outdated bpfcc-tools packages.
     # The iovisor PPA is outdated as well. The next Ubuntu and Debian releases will contain updated
     # packages. Meanwhile, use an untrusted PPA to install an up-to-date version of the bpfcc-tools
     # package.
     # TODO: drop this once we can use newer images in GCE
-    CI_EXEC add-apt-repository ppa:hadret/bpfcc
+    CI_EXEC_ROOT add-apt-repository ppa:hadret/bpfcc
   fi
-  ${CI_RETRY_EXE} CI_EXEC apt-get update
-  ${CI_RETRY_EXE} CI_EXEC apt-get install --no-install-recommends --no-upgrade -y "$PACKAGES" "$DOCKER_PACKAGES"
+  ${CI_RETRY_EXE} CI_EXEC_ROOT apt-get update
+  ${CI_RETRY_EXE} CI_EXEC_ROOT apt-get install --no-install-recommends --no-upgrade -y "$PACKAGES" "$DOCKER_PACKAGES"
 fi
 
 if [ -n "$PIP_PACKAGES" ]; then
@@ -126,7 +144,7 @@ if [[ "${RUN_TIDY}" == "true" ]]; then
     CI_EXEC "mkdir -p ${DIR_IWYU}/build/"
     CI_EXEC "git clone --depth=1 https://github.com/include-what-you-use/include-what-you-use -b clang_14 ${DIR_IWYU}/include-what-you-use"
     CI_EXEC "cd ${DIR_IWYU}/build && cmake -G 'Unix Makefiles' -DCMAKE_PREFIX_PATH=/usr/lib/llvm-14 ../include-what-you-use"
-    CI_EXEC "cd ${DIR_IWYU}/build && make install $MAKEJOBS"
+    CI_EXEC_ROOT "cd ${DIR_IWYU}/build && make install $MAKEJOBS"
   fi
 fi
 

ci/test/05_before_script.sh

@@ -11,6 +11,7 @@ if [ "$CI_OS_NAME" == "macos" ]; then
   echo > "${HOME}/Library/Application Support/Bitcoin"
 else
   CI_EXEC echo \> \$HOME/.bitcoin
+  CI_EXEC_ROOT echo \> \$HOME/.bitcoin
 fi
 
 CI_EXEC mkdir -p "${DEPENDS_DIR}/SDKs" "${DEPENDS_DIR}/sdk-sources"