Replace `su-exec` with `gosu`

[tianon]

There's a major issue with su-exec whose fix has gone unreleased for 5 years (typos leading to running code as root, the opposite of the purpose of the program).

This also decreases our Debian vs Alpine variance.

Due to user scripts/downstream code potentially using su-exec, I have included a compatibility symlink to su-exec for all versions less than the 17 pre-release.

[tianon]

To be explicitly clear: I am open to exploring other alternatives as well, but su-exec really should be removed here, and any alternative solution needs to also consider the downstream effects (and how we keep compatibility + minimize the code/variance we have to maintain).

[tianon]

See https://github.com/tianon/gosu/pull/143 for one such alternative.

[yosifkit]

I agree with your hesitation to recommend your setpriv wrapper in https://github.com/tianon/gosu/pull/143#issuecomment-2174630612 since it is new and fragile, so I think gosu is the best cli-compatible alternative.

---

For future users wondering why the Alpine based image suddenly "has tons of CVEs": gosu has documented that naive vulnerability analysis tools will detect many CVE's; as of June 2024, none are applicable since gosu does not ever invoke any of the CVE-vulnerable functions (see gosu's security.md).

https://github.com/tianon/gosu/issues/136#issuecomment-2150375314 may also be of interest.