# total suid control.

	if hasq suidctl $FEATURES; then

	###

		sfconf=/etc/portage/suidctl.conf

	### Controls permissions of files with SetId permissions.

		vecho ">>> Performing suid scan in ${IMAGE}"

	###

		for i in $(find ${IMAGE}/ -type f \( -perm -4000 -o -perm -2000 \) ); do

	### Todo:

			if [ -s "${sfconf}" ]; then

	### - Add a bit of flexibility to the file format (comments everywhere,

				suid="$(grep ^${i/${IMAGE}/}$ ${sfconf})"

	###       decorating spaces, and maybe allow space characters

				if [ "${suid}" = "${i/${IMAGE}/}" ]; then

	###       as field separators... -the file is grealty easier to read

					vecho "- ${i/${IMAGE}/} is an approved suid file"

	###       with tabulations, though the line length greatly increase...).

	### - Maybe support empty fields (they would match any value...), though it

	###       greatly diminishes the usefulness of the setid-control feature.

	### - Maybe support more flexible file permissions (like "ugo-s",

	###       for the last field -well, for now, it works out of the box,

	###       but we might try some checks on this field, so we me think a bit

	###       about it).

	### - Maybe support to configure the user and group to set,

	###       for full customization...

	### - Maybe add a check to inform the user when an entry is outdated and

	###       might be removed (like the original file

	###       does not have SetId permissions set anymore).

	###

	### Defines miscellaneous needed variables.

	local SetId_control_feature_name="setid-control"

	local SetId_control_configuration_file_path="/etc/portage/setid-control.conf"

	local SetId_permissions_to_set_field_index="6"

	### Checks that the SetId control feature is activated.

	if hasq "${SetId_control_feature_name}" "${FEATURES}"

	then

		vecho ">>> Performing SetId scan in \"${IMAGE}\"..."

		### Loop on files with SetId permissions.

		for File_virtual_path in $(find "${IMAGE}/" -type f -perm -4000 -o -perm -2000)

		do

			### Defines variables for needed informations about the package and file.

			local Package_category_and_name="${CATEGORY}/${PN}"

			local File_absolute_path="${File_virtual_path#${IMAGE}}"

			local File_user=$(find "${File_virtual_path}" -printf "%u")  ### "%u" means the file owner name or id

			local File_group=$(find "${File_virtual_path}" -printf "%g") ### "%g" means the file group name or id

			local File_permissions=$(find "${File_virtual_path}" -printf "%04m") ### "%04m" means the file permissions (with leading zeros)

			### Tries to match the file with existing entries

			### from the configuration file. Notes we do not care if

			### the configuration file does not exist, as it is handled later.

			### ("-m" means "--max-count"; "-E" means "--extended-regexp")

			### @todo Maybe check the fields individually, for customized

			###           warning messages (well, probably overkill).

			### @todo For the regex ending, if there are spaces (though illegal

			###           as per configuration file format specifications),

			###           accept the line... as we do not use the

			###           file permission field elsewhere, for now, this is ok,

			###           but if we later parse the entry to get

			###           the value of this field, the spaces will have

			###           to be removed.

			Needed_entry_regex="${Package_category_and_name}:${File_virtual_path}:${File_user}:${File_group}:${File_permissions}([[:space:]]*|:.*)$"

			Authorization_entry=$(grep -m 1 -E "^${Needed_entry_regex}" "${SetId_control_configuration_file_path}")

			### Checks if the file matched an existing entry

			### from the configuration file.

			if [ -n "${Authorization_entry}" ]

			then

				### Gets the file permissions to set, from

				### the authorization entry, if present.

				### ("-d" means "--delimiter"; "-f" means "--fields")

				File_permissions_to_set=$(echo "${Authorization_entry}" | cut -d ":" -f "${SetId_permissions_to_set_field_index}")

				### Keeps the file permissions as is, if

				### the file permission to set field is not present, or empty,

				### or identical to the file original permissions.

				if [ -z "${File_permissions_to_set}" ] || [ "${File_permissions_to_set}" = "${File_permissions}" ]

				then

					vecho ">>> File \"${File_absolute_path}\" requested SetId permissions, and has been authorized to keep them, as per configuration."

					### Continues to the next file with SetId permissions.

					continue

					vecho ">>> Removing sbit on non registered ${i/${IMAGE}/}"

					vecho ">>> File \"${File_absolute_path}\" requested SetId permissions, and is registered, so we will apply the configuration..."

					for x in 5 4 3 2 1 0; do echo -ne "\a"; sleep 0.25 ; done

					vecho -ne "\a"

					### Sets the file permission, as per configuration.

					ls_ret=$(ls -ldh "${i}")

					### @todo Sanity checks on file permissions to set?

					chmod ugo-s "${i}"

					chmod "${File_permissions_to_set}" "${File_virtual_path}"

					grep ^#${i/${IMAGE}/}$ ${sfconf} > /dev/null || {

						# sandbox prevents us from writing directly

					File_set_permissions=$(find "${File_virtual_path}" -printf "%04m") ### "%04m" means the file permissions (with leading zeros)

						# to files outside of the sandbox, but this

						# can easly be bypassed using the addwrite() function

					vecho ">>> File \"${File_absolute_path}\" now has permissions: \"${File_set_permissions}\" (previously: \"${File_permissions}\")."

						addwrite "${sfconf}"

						vecho ">>> Appending commented out entry to ${sfconf} for ${PF}"

					### Continues to the next file with SetId permissions.

						echo "## ${ls_ret%${IMAGE}*}${ls_ret#*${IMAGE}}" >> ${sfconf}

					continue

						echo "#${i/${IMAGE}/}" >> ${sfconf}

						# no delwrite() eh?

						# delwrite ${sconf}

					}

				vecho "suidctl feature set but you are lacking a ${sfconf}"

				vecho ">>> File \"${File_absolute_path}\" requested SetId permissions, but is unregistered, so we will strip them..."

				### Removes the SetId permissions from the file.

				chmod ugo-s "${File_virtual_path}"

				### Defines the secure SetId permissions (ie., no SetId permissions).

				Secure_SetId_permissions=$(find "${File_virtual_path}" -printf "%04m") ### "%04m" means the file permissions (with leading zeros)

				### Constructs a configuration file default (secure) entry for the current file.

				Default_entry="${Package_category_and_name}:${File_absolute_path}:${File_user}:${File_group}:${File_permissions}:${Secure_SetId_permissions}"

				### Creates the configuration file parent directory, if needed.

				if [ ! -d $(dirname "${SetId_control_configuration_file_path}") ]

				then

					addwrite "/" ### Sandbox bypassing

					mkdir -p $(dirname "${SetId_control_configuration_file_path}")

					export SANDBOX_WRITE="${SANDBOX_WRITE%:/}" ### Sandbox restoring

				fi

				### Creates a base configuration files, if not present (for the comments on the file format).

				if [ ! -f "${SetId_control_configuration_file_path}" ]

				then

					SetId_control_default_configuration_file_path="/usr/share/portage/setid-control.conf.default" ### !!! Place it elsewhere? (directly in "/etc/portage"? -without the ".default" suffix-, in which case this block should be removed)

					addwrite "${SetId_control_configuration_file_path}" ### Sandbox bypassing

					cp "${SetId_control_default_configuration_file_path}" "${SetId_control_configuration_file_path}"

					export SANDBOX_WRITE="${SANDBOX_WRITE%:${SetId_control_configuration_file_path}}" ### Sandbox restoring

				fi

				### Adds the default entry to the configuration file.

				addwrite "${SetId_control_configuration_file_path}" ### Sandbox bypassing

				echo "${Default_entry}" >> "${SetId_control_configuration_file_path}"

				export SANDBOX_WRITE="${SANDBOX_WRITE%:${SetId_control_configuration_file_path}}" ### Sandbox restoring

				### Displays a warning.

				ebeep 3 && epause 5

				ewarn

				ewarn "You have the \"${SetId_control_feature_name}\" feature set in your \"/etc/make.conf\" file,"

				ewarn "and the current package requests SetId permissions for the file:"

				ewarn "\"${File_absolute_path}\","

				ewarn "which cannot be found in the SetId control configuration file."

				ewarn

				ewarn "If you already have an entry, for the same package and file path,"

				ewarn "it probably means that the file user, group, or original permissions,"

				ewarn "have changed. In this case, check the default entry which was added"

				ewarn "to the configuration file, and adapt your configuration as needed."

				ewarn

				ewarn "The following default (secure) entry was added to the configuration file"

				ewarn "(${SetId_control_configuration_file_path}):"

				ewarn "${Default_entry}"

				ewarn

				ewarn "The file has been stripped from its SetId permissions. If know what"

				ewarn "you are doing, and want \`emerge\` to keep these permissions, follow"

				ewarn "the instructions from the SetId control configuration file."

				ewarn

				### Continues to the next file with SetId permissions.

				continue