Packaged binaries shouldn't run as root unless absolutely necessary

[salcock]

This is especially true for the provisioner and mediator -- the collector may need root to be able to listen on the capture interface (but even then, we may only need those permissions temporarily).

Ideally, our packaged installs would create an "openli" user, install everything (binaries, config files, etc.) as belonging that user and have the systemd scripts run the components as "openli".

Unfortunately, because we didn't do this earlier, we'll also need some sort of script that will detect existing config etc. that is owned by root and make sure that ownership is changed to the "openli" user when the package is updated.

[salcock]

Deferred to 1.0.7 -- users have been running as root without too many complaints up until now.

Making sure that root-using installs safely upgrade to nonroot-using installs could potentially take a bit of a time and I'd like to push out 1.0.6 sooner rather than later as it has some essential bug fixes for some users.

[salcock]

Update: provisioners and mediators now run as the openli user and upgrades from 1.0.6 should proceed smoothly.

Collectors still need to run as root for packet capture purposes -- we can drop root privileges after starting capture and continue capture with ring: inputs, but DPDK doesn't work so well using this method.