It is very useful --sometimes outright necessary-- to start the wrapper with high privileges. This can be the case when running in standalone mode for services which listen to ports below 1024, which in Unix require root access to be opened, or when running in pipe mode, and the server program requires running as root --This should not be the behavior when running the wrapper! Were an attacker able to subvert the wrapper, it is one of the author's design goals to give him as little access as possible.
The approach followed is to allow the user to specify which UID the wrapper should run as - and to deny any attempts to run with root.
There are two main point at which the program should be able to drop privileges, and the decision on when to do so depends on each specific case. Therefore, the following attributes were added to the base ProtoWrap class: (definitions from the code's internal documentation)
Of course, if destType is 'ip' or if standalone is 0, specifying when to switch the UID does not make sense anymore - If destType is 'ip', the wrapper is not starting up the server, so it cannot affect what user will it run as. If standalone is 0, no listening sockets will be opened, and the only point at which privileges could be dropped is when starting up the server process. If both conditions are met, there is no point in starting the wrapper with the root UID, as it will not perform any privileged operations.