fix: allow downgrading of user by explicit CLI argument

[kklash]

Problem

By default, boringtun uses the getlogin syscall to determine which user to downgrade the service's permissions to after startup.

getlogin reads from /run/utmp to determine the logged in user, but this is a very outdated file which is not populated for processes run by sytemd. This results in the entire boringtun process failing to start when run by systemd, since boringtun can't determine what user ID it was started by, and thus fails to drop its privileges to that user ID.

Even man getlogin tells you to bark up a different tree:

Unfortunately,  it  is  often  rather easy to fool getlogin().  Sometimes it does not
work at all, because some program messed up the utmp file.  Often, it gives only  the
first  8  characters of the login name.  The user currently logged in on the control‐
ling terminal of our program need not be the user who started it.   Avoid  getlogin()
for security-related purposes.

Changes

This MR adds a --user command line flag which tells boringtun explicitly which user to downgrade permissions to. This allows boringtun to be run either directly as the root user, or with sudo as a sudoer user.

If the --user parameter is not provided, boringtun falls back to legacy behavior (using getlogin)