#language en
Linux (recent kernels at least) and systemd give us ability to run daemons without root privilleges at start.
Here is example configuration for freeradius:

<<TableOfContents>>
= freeradius  =
1. systemd unit file: /etc/systemd/system/freeradius.service
{{{
[Unit]
Description=FreeRADIUS multi-protocol policy server

After=network.target
Documentation=man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ http://networkradius.com/doc/

[Service]
Type=forking
PIDFile=/run/freeradius/freeradius.pid
EnvironmentFile=-/etc/default/freeradius
User=freerad
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE
ExecStart=/usr/sbin/freeradius $FREERADIUS_OPTIONS
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
}}}

Key lines are "User=" and "AmbientCapabilities="

2. /etc/tmpfiles.d/freeradius.conf
{{{
d     /var/run/freeradius    0755 freerad freerad -
}}}
= bind  =
/etc/systemd/system/bind9.service
{{{
[Unit]
Description=BIND Domain Name Server
Documentation=man:named(8)
After=network.target
Wants=nss-lookup.target
Before=nss-lookup.target

[Service]
EnvironmentFile=/etc/default/bind9
ExecStart=/usr/sbin/named -f $OPTIONS
ExecReload=/usr/sbin/rndc reload
ExecStop=/usr/sbin/rndc stop
AmbientCapabilities=CAP_NET_BIND_SERVICE
User=bind
Group=bind
[Install]
WantedBy=multi-user.target
}}}
key lines are AmbientCapabilities=, User=, Group= 

2. /etc/tmpfiles.d/bind9.conf
{{{
d     /var/run/named    0775 root bind  -
}}}