This is an idea borrowed from Debian and Alpine. It allows us to drop suid/caps from a couple of binaries in PAM and sys-apps/shadow.
https://github.com/gentoo/gentoo/pull/44000 Mike Gilbert (4): acct-group/shadow: new package, add 0 sys-libs/pam: wire up shadow group sys-apps/shadow: install suid binaries as 4755 sys-apps/shadow: wire up shadow group acct-group/shadow/metadata.xml | 7 ++++++ acct-group/shadow/shadow-0.ebuild | 22 +++++++++++++++++++ ...-4.14.8.ebuild => shadow-4.14.8-r1.ebuild} | 14 ++++++++++-- ...am-1.7.1-r1.ebuild => pam-1.7.1-r2.ebuild} | 14 +++++++----- 4 files changed, 49 insertions(+), 8 deletions(-) create mode 100644 acct-group/shadow/metadata.xml create mode 100644 acct-group/shadow/shadow-0.ebuild rename sys-apps/shadow/{shadow-4.14.8.ebuild => shadow-4.14.8-r1.ebuild} (94%) rename sys-libs/pam/{pam-1.7.1-r1.ebuild => pam-1.7.1-r2.ebuild} (96%) -- 2.51.0
