During the build of dev-java/icedtea-web, something (possibly Java itself) appears to ignore Portage setting HOME to a valid temporary directory, and use the directory in /etc/passwd instead (which can not be written during the build). A simple fix for this is to export XDG_CONFIG_HOME="${HOME}/.config" in src_prepare (or thereabouts), which is honored. This may need to be moved to the eclass, I haven't tried building many other Java packages yet...
Specifically, you can call xdg_environment_reset() (from xdg-utils.eclass) to set all the related variables safely, and create the directory with the correct ownership/permissions.
Please post log output that includes which version was tried because I've never seen this.
Created attachment 423994 [details] build.log
Finally managed to reproduce it. I was running with FEATURES="-userpriv", which I've changed now that I'm aware what the defaults are. That wasn't enough though, I also had to change portage's HOME from /var/tmp/portage to /home/portage. While I question that change, given that /var/tmp/portage is allowed by the sandbox, you do have a point. I would have been surprised to find that Java is honouring XDG variables but it turns out it's just icedtea-web specifically so there's no need to address this in the eclass. Adding xdg_environment_reset to src_configure did the trick so thanks.
Just fyi, the reason that my portage user has a home directory in /home/ is because I set PORTAGE_TMPDIR=/tmp, so packages build under /tmp/portage/ and /var/tmp/portage doesn't even exist. I also sometimes need to log in as the portage user to test changes to builds without being root, and have some config files set up in /home/portage to make that easier.