Replace chown by lchown where applicable

PostgreSQL's upstream init scripts have been found vulnerable to symlink
attacks on the server log file (CVE-2017-12172). We don't use the
upstream scripts, but inspection of pg_ctlcluster has shown that it is
vulnerable to exactly the same problem. We fixed this problem
previously via c8989206 (CVE-2016-1255), but the fix merely made
the attack window smaller.

We now use lchown instead of chown so a symlink put into place while
pg_ctlcluster is running cannot be used to chown files elsewhere on the
filesystem.

In passing, apply the same fix to pg_createcluster and pg_upgradecluster
as well.