Simple set of rules:
1. All files root:root, 644 for files, 755 for executables, 755 for directories
2. Special settings varying on the software, e.g. setuid, setgid for Xorg, read/write-only for root in /etc/private or /var/..., special user like postfix or mysql, etc. within the extension or setup with the tce.installed/* script while booting.
3. [/usr/local]/etc/init.d/xyz scripts are usually system services and not user based services, so the simple set here is: check for root user, if not, just fail.
4. Tiny Core special settings, e.g. root:staff for /usr/local/tce.installed and 775
Optional:
5. If app/service can be run as a normal user (not as root!), make sure your init, start or extensions scripts are able to handle this. For example, query the $TCUSER variable and set the permissions accordingly when installing the extension. Or reconfigure the software so that it defaults to user writeable directories like $HOME, /tmp, etc.
@cups example: Since the service is run as root either way, the init script should also fail when not run as root, which is the easiest solution. Checkout the checkroot() helper function in /etc/init.d/tc-functions e.g. Try to use sudo in scripts as less as possible.