There are several ways to run a service as someone other than root, all with slightly different semantics, particularly relating to group membership.
su -c commandname username picks up all of username's group memberships (such as plugdev and dialout), as does sudo -u username commandname. That's the usual behavior for a normally logged in user.
start-stop-daemon preserves your group membership, and does a whole lot more than just setuid/setgid.
chpst -u username:group1:group2:group3... commandname will let you specify exactly what group memberships to adopt, but (in Ubuntu) it only comes with the runit package, which is an alternative to upstart.
setuidgid will put you in only the group you specify, so you won't be able to access files belonging to other groups you're a member of unless you use newgrp.
Using newgrp once you've become the less privileged user will add a single group to your groupset, but also creates a new subshell, making it tricky to use inside scripts.
root@machine:/etc/init# more foo.conf # foo.conf description "running a non-privileged service" task script sudo -u nobody whoami > /tmp/foo.whoami exec sudo -u nobody groups > /tmp/foo.groups-nobody-belongs-to end script