Inside sandbox.c, sandbox_info->work_dir is initialized from getcwd and in get_sandbox_write_envvar() it is inserted into SANDBOX_WRITE. This can give write access to all files when sandbox is executed with / as cwd. I have encountered this problem while testing portage-2.1.0_alpha20050718 which does not change cwd, unlike the stable portage-2.0.51.22-r2 which automatically changes cwd to PORTAGE_TMPDIR.
_Only_ if EBUILD is not set ... don't new portage do this ?
Oops, I'm sorry azarah. The behavior was so strange that I assumed it was a sandbox bug without really analyzing the logic in there. If it's a portage bug then we should dup it against bug 102126.
*** This bug has been marked as a duplicate of bug 102126 ***