It is normal. Like several server daemons (such as httpd) they have an initial process that runs up under the root account so that they can access the necessary system files. They then launch child processes under a non-priveleged user account for the processing work. The reason they do this is simple - security. Because these processes usually process data derived from an untrusted source, i.e. the internet, should then ever be compromised, then the hacker would usually only have access to the non-privileged account instead of the root account.