One of my biggest issues with acme-client(1) - which does string parsing
of untrusted input from the network - is shown below:

if (getuid() != 0)
	errx(EXIT_FAILURE, "must be run as root");

AFAIK there is no justified need to run acme-client child processes as
root, and it could fare better with a dedicated user and some tidying up
of file locations.

I think it's one of the few utilities in base that does not do this.

I'm willing to code up some basic privsep but am unsure of the logistics.

Ideally the following would need to happen:

1. A new UID/GID _acme/_acme are created (how are they checked out)?

2. /var/www/acme should be set to 0775 root:_acme

3. /etc/acme should be set to 0770 root:_acme

4. Certificate storage - needs to be writable - create /etc/ssl/acme
   and /etc/ssl/acme/private - or leave this up to the user? Needs to
   be writable by _acme user/group - keys should be protected.
   
There may be some breakage as this feature is introduced, but I feel
that is far less worse than letting it to continue to run as root.

Regards
Lloyd