The fcaps eclass shouldn't give the execute permission to 'others', otherwise sysadmins can't easily restrict the executable to a group using post_src_install() like in this example: /etc/portage/env/category/package: post_src_install() { chgrp group "${ED}"/executable_path chmod o-x "${ED}"/executable_path setcap cap+ep "${ED}"/executable_path }
Created attachment 524550 [details] fcaps.eclass.patch Proposed patch attached.
> setcap cap+ep "${ED}"/executable_path ^ Oops, ignore that line in the post_src_install() example; it shouldn't be there.
I'm not sure it is worth changing the fcaps function to "support" this. You could accomplish essentially the same goal by defining a post_pkg_postinst function instead of a post_src_install function. > post_pkg_postinst() { > chgrp group "${EROOT}"/executable_path > chmod o-x "${EROOT}"/executable_path > setcap cap+ep "${EROOT}"/executable_path > }