I wonder if it might not be easier to simply add check that if we are not in virtualenv and are uid0 without --user option we should just bail out and say "bad user"...