I am pretty sure the packaging guideliness should say very clearly that it is not OK for daemons packaged for Fedora to run as "nobody" user, and instead all packages that need a system user should register their own.
Why? because all services running as "nobody" can access each other's resources.
Also see discussion around here:
Not sure how the wording should be looking like precisely, but maybe something as simple as this would suffice:
"System services packaged for Fedora may not use run as the 'nobody' user, but must allocate their own system user to run as".
Description=Distccd A Distributed Compilation Server
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
nobody 2179 0.0 0.0 51132 896 ? S May31 0:01 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
This dnsmasq is started by libvirt.service.
In case I miss the meeting, I'm 100% behind this but I'm not entirely sure where in the guidelines this should actually go. Probably immediately under https://fedoraproject.org/wiki/Packaging:Guidelines#Users_and_Groups
We discussed this at this weeks meeting (http://meetbot.fedoraproject.org/fedora-meeting-1/2016-08-11/fpc.2016-08-11-16.00.txt):
The running of system daemons as the "nobody" user has been forbidden.
Metadata Update from @tibbs:
- Issue assigned to tibbs
to comment on this ticket.