I once installed apcupsd only to be so appalled by its lack of security design I ripped it out PDQ. It demands to run as root so it can run shutdown (and maybe access the USB?!) and goes downhill from there.
There's many safer ways to let a mostly untrusted process run shutdown. Like a sudo setup letting the UPS user only run shutdown. Or /etc/shutdown.allow. Or something using CAP_SYS_BOOT. systemd might have a solution too. I get the impression I just spent more time thinking about this writing my response to you than the APC folks ever did.
Yes, I am afraid my UPS will hack me. More specifically I'm afraid this badly written closed source software will have some security hole that can be used to escalate to root.
