I must correct myself. As I ofc only remembered after sending the bug report, I did already change the initscript once before to start as root (so it can read the root-owned ssl certs once on startup, before dropping privileges)
So in the default config, the --user switches shouldn't be a problem (but with CAPABILITIES enabled they probably still are) and the pidfile-dir permission should be the only problem. ~~ Nils