User and Group implement From<libc::passwd> and From<libc::group>, but these structs contain public fields which are pointers and are not guaranteed to uphold the invariants guaranteed after fetching with functions like getpw* and getgr*. These functions should be unsafe with the requirement that the passed struct is the output from one of these functions. For example:

impl User {
    /// # Safety
    ///
    /// `passwd` must be the output from some `getpw*` call, like `getpwuid`.
    unsafe fn from_passwd(passwd: &libc::passwd) -> Self {
        ...
    }
}