To change UID's and GID's, you'll need root perms. You'll also need them for the password checking initially, at least long enough to read the shadow (or perhaps passwd) file. There's really no way of getting around it.

The object, however, is to do as little as possible as root, and switch immediately to the new UID/EUID GID/EGID combination.

Changing them is simple to do in Perl (set $<, $>, $(, $) for UID, EUID, GID, and EGID, respectively), so you'll never have to run the entire script as root. Just take care of what you need to do as root early and carefully, and switch as soon as you can.