Actually sudo is already being used, but sometimes people forget to use it, start some service as themselves and various temporary files and sockets get created with wrong user id, which causes Bad Things later. For now I cooked up this initial solution:

Add to sudoers file:
%developers ALL=(ALL) NOPASSWD: /bin/su - serviceuser
Add to end of /etc/bash.bashrc
su - serviceuser
I was hoping to figure out some more 'low-level' solution with PAM or thereabouts, but maybe this will do.