Most browsers won't run as root, so as part of a program running as root it'd be useful to be able to specify that the browser should be opened as another user.

@jamesmcm most such scenarios are handled by early dropping of privileges, than late. As such, I feel this is better handled by the upstream code, not by a library. Any specific reason why it should be handled in the way you're proposing?

Mainly in the case where I don't want to drop privileges for the current process (i.e. maybe later on I need root access for some things), but want an easy way to spawn the new process as another user (i.e. if the user has to confirm some OAuth login etc.).

Otherwise how would you do the above? For now I worked around where I had to do this (by dropping privileges), because it happened that the specific command didn't need root access later on, but I could imagine cases where you would do.

Based on my understanding of security best practices, you should be doing one of the the following:

1. Initialize whatever you need to, early, and then drop privileges for the remaining process
2. Spawn a separate process, where only privileged stuff happens, while most of the remaining process runs with dropped privileges, relying on message passing between the two processes.
3. Do the same as the previous option (or some variant), but using threads and capabilities

If none of the above fits your need, then I suppose the only way would be to do a fork and then to call something like rust-privdrop, before invoking this library.

Obviously, this is based on my understanding of the current best practices. If you find research contrary to this, feel free to point me to it.

Thanks, I did the first one in the end in the case I had.

The more I think about it, it would be difficult to implement across platforms too, as you can't rely on having sudo, etc.