It occurs to me there's no particular reason to keep running as root (at least on most systems, though for certain nss_ldap configurations, you've got a password that's readable only as root). We should support dropping privileges.

I think best practice is to run as your own system account instead of nobody because that quickly turns nobody into a fairly juicy target of its own, so probably this wants to be an argument to drop privileges to a specific user + some packaging config to create a system user.