Check for success when dropping privs.

If the nm-openconnect user exists, but setuid/setgid fails, then abort.

Error handling is somewhat suboptimal here, since it's done in the
pre-spawn function in the child. But it should never happen anyway; the
only reason we're looking at it is because this code path was
(correctly) highlighted in a security review.