You can also start Hiawatha under a non-root uid.
But this means that hiawatha couldn't be get chrooted for example isn't it? Maybe you could limit the capacities granted before dropping privileges with the libcap facilitity (execcap binary) and grant for example only CAP_SETUID, CAP_SETGID, CAP_CHROOT and CAP_NET_BIND_SERVICE, probably it would be a proper solution rather than run the hiawatha daemon with UID not 0