Could steal a page from how Spectrum does this: the installation needs to be done as root but afterwards, the files and most of the processes are owned by a non root user. There is a limitation on privileged ports (those below 1024) at the OS level, so if you need to bind to a port like 80, or 162 (SNMP trap receiver), you need to be root. Spectrum gets around that by having the SpectroSERVER executable as setuid root so it can bind to 162 to receive traps. That's why the installation needs to be done as root. Otherwise, everything else is non root. CAPM doesn't listen for traps, so there's no requirement there and you don't need to be root to poll SNMP on port 161 but that doesn't mean that there isn't something ( I seem to recall certain tasks involving ICMP require root) that requires it. The trick is to limit root ownership to just those parts and let the rest run as a non root user.