reduce risky use of chown

In general, chown is risky business.  On most systems it can only be
done as root.  Even riskier is chowning a file in a directory that is
already owned by a non-privileged user, because (depending on kernel,
system configuration, filesystem boundaries, etc) it's possible that
the non-privileged user could control the file pointed to, and the
superuser accidentally chowns a file they didn't intend.

Attacks here are often racy (TOCTOU) and subtly depend on interactions
with other system parts (e.g. gaining r/w control over a specific file
in /var/lib/dpkg/ or /var/lib/).  Better to avoid these risks entirely
where possible.