Merge pull request #1457 from cgwalters/doc-non-root

docs: Elaborate a bit on sysusers and /usr

Author: cgwalters

docs/src/building/users-and-groups.md

@@ -95,6 +95,13 @@ of at build time. If `/etc` is persistent, this can avoid uid/gid drift (but
 in the general case it does mean that uid/gid allocation can
 depend on how a specific machine was upgraded over time).
 
+Note that the default `sysusers` design is that users are allocated on the client
+side (per machine). Avoid having non-root owned files managed by `sysusers`
+inside your image, especially underneath `/usr`. With the exception of
+`setuid` or `setgid` binaries (which should also be strongly avoided), there is
+generally no valid reason for having non-root owned files in `/usr` or other
+runtime-immutable directories.
+
 #### User and group home directories and `/var`
 
 For systems configured with persistent `/home` → `/var/home`, any changes to `/var` made