diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
index b4f954f809..a9f63ac92f 100644
--- a/.github/workflows/build_and_test.yml
+++ b/.github/workflows/build_and_test.yml
@@ -443,7 +443,7 @@ jobs:
     container:
       image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/build-tools:${{ needs.build-buildtools-image.outputs.build-tools-tag }}
       # for changed limits, see comments on `options:` earlier in this file
-      options: --init --shm-size=512mb --ulimit memlock=67108864:67108864 --cgroupns=private --privileged
+      options: --init --shm-size=512mb --ulimit memlock=67108864:67108864 --cgroupns=private --security-opt umask=/sys/fs/cgroup
     strategy:
       fail-fast: false
       matrix:
@@ -457,7 +457,7 @@ jobs:
           fetch-depth: 1
 
       - name: Setup cgroup for use by test suite
-        run: sudo mkdir /sys/fs/cgroup/neon_testsuite && sudo chown -R nonroot:nonroot /sys/fs/cgroup/neon_testsuite
+        run: sudo bash -x /setup_neon_testsuite_cgroup.bash
 
       - name: Pytest regression tests
         uses: ./.github/actions/run-python-test-set
diff --git a/Dockerfile.buildtools b/Dockerfile.buildtools
index 97bdf6771a..add46eca26 100644
--- a/Dockerfile.buildtools
+++ b/Dockerfile.buildtools
@@ -51,7 +51,13 @@ RUN set -e \
 # Add nonroot user
 RUN useradd -ms /bin/bash nonroot -b /home
 SHELL ["/bin/bash", "-c"]
-RUN echo "ALL   ALL = (ALL) NOPASSWD: ALL" >> /etc/sudoers
+RUN echo "#!/usr/bin/env bash \
+set -exuo pipefail \
+mkdir /sys/fs/cgroup/neon_testsuite \
+chown -R nonroot:nonroot /sys/fs/cgroup/neon_testsuite \
+echo SUCCESS: cgroup set up for user nonroot at /sys/fs/cgroup/neon_testsuite \
+" > /setup_neon_testsuite_cgroup.bash && chmod +x /setup_neon_testsuite_cgroup.bash
+RUN echo "ALL   ALL = (ALL) NOPASSWD: /setup_neon_testsuite_cgroup.bash" >> /etc/sudoers
 
 # protobuf-compiler (protoc)
 ENV PROTOC_VERSION 25.1