pam_unix(8) requires root priveleges to access master.passwd(5)
but don't keep root for non-authentication activities.

--- pam.c.orig	2019-01-29 19:48:00 UTC
+++ pam.c
@@ -12,15 +12,40 @@
 static char *pw_buf = NULL;
 
 void initialize_pw_backend(int argc, char **argv) {
+#ifdef __linux__
 	if (getuid() != geteuid() || getgid() != getegid()) {
 		swaylock_log(LOG_ERROR,
 			"swaylock is setuid, but was compiled with the PAM"
 			" backend. Run 'chmod a-s %s' to fix. Aborting.", argv[0]);
 		exit(EXIT_FAILURE);
 	}
+#else
+	if (geteuid() != 0) {
+		swaylock_log(LOG_ERROR,
+				"swaylock needs to be setuid for pam_unix(8) to read /etc/master.passwd");
+		exit(EXIT_FAILURE);
+	}
+#endif
+
 	if (!spawn_comm_child()) {
 		exit(EXIT_FAILURE);
 	}
+
+#ifndef __linux__
+	if (setgid(getgid()) != 0) {
+		swaylock_log_errno(LOG_ERROR, "Unable to drop root");
+		exit(EXIT_FAILURE);
+	}
+	if (setuid(getuid()) != 0) {
+		swaylock_log_errno(LOG_ERROR, "Unable to drop root");
+		exit(EXIT_FAILURE);
+	}
+	if (setuid(0) != -1) {
+		swaylock_log_errno(LOG_ERROR, "Unable to drop root (we shouldn't be "
+			"able to restore it after setuid)");
+		exit(EXIT_FAILURE);
+	}
+#endif
 }
 
 static int handle_conversation(int num_msg, const struct pam_message **msg,