owned by postgres, doing "pg_ctl start" as root could allow a privilege
escalation attack, as pointed out by iDEFENSE.  Of course the postmaster would
fail, but we ought to fail a little sooner to protect sysadmins unfamiliar
with Postgres.  The chosen fix is to disable root use of pg_ctl in all cases,
just to be confident there are no other holes.