It's very easy for someone that doesn't really understand the details of how to drop privileges (e.g. me) to use the "user", "group", and "extra_groups" args to subprocess.Popen() incorrectly ... or at least not in a way that gets the results they expect. Since there are potentially many reasonable patterns for using these It might be at least worth documenting that just setting "user" isn't a replacement for running a command under su or runuser.