Run the test suite unprivileged

.circleci/config.yml

@@ -38,8 +38,22 @@ jobs:
 
       - run:
           name: "Bootstrap test environment"
+          working_directory: "/tmp"
           command: |
+            # Avoid the /nonexistent home directory in nobody's /etc/passwd
+            # entry.
+            usermod --home /tmp/nobody nobody
+
+            # Grant read access to nobody, the user which will eventually try
+            # to test this checkout.
+            mv /root/project /tmp/project
+
+            # Python build/install toolchain wants to write to the source
+            # checkout, too.
+            chown --recursive nobody:nogroup /tmp/project
+
             apt-get --quiet --yes install \
+                sudo \
                 build-essential \
                 python2.7 \
                 python2.7-dev \
@@ -47,13 +61,23 @@ jobs:
                 libssl-dev \
                 libyaml-dev \
                 virtualenv
-            virtualenv --python python2.7 tests
+
-            tests/bin/pip install tox
+            # Set up the virtualenv as a non-root user so we can run the test
+            # suite as a non-root user.  See below.
+            sudo -u nobody virtualenv --python python2.7 /tmp/tests
+            sudo -u nobody /tmp/tests/bin/pip install tox
 
       - run:
           name: "Run test suite"
           command: |
-            tests/bin/tox -e py27
+            # Run the test suite as a non-root user.  This is the expected
+            # usage some small areas of the test suite assume non-root
+            # privileges (such as unreadable files being unreadable).
+            #
+            # Also run with /tmp as a workdir because the non-root user won't
+            # be able to create the tox working filesystem state in the source
+            # checkout because it is owned by root.
+            sudo -u nobody /tmp/tests/bin/tox -c /tmp/project/tox.ini --workdir /tmp -e py27
 
   debian-9:
     docker: