We've got a particular part of build system which requires root access because of a tool on OS X. Our workaround was to wrap the small part which requires root access in a binary that is setuid root. Then the build system that can call it without runnng compretely as root.