The various binaries that are part of sys-apps/shadow could use file capabilities instead of having the suid bit set. This would greatly decrease the number of suid binaries on the system and increase security. I tested the following on my hardened Gentoo setup and it works fine (most come from Arch linux's wiki): # -l option allows for a user to see his/her account's password expiry date /usr/bin/chage = cap_dac_read_search+ep # changes the user's information (full name, phone number etc) on /etc/passwd /usr/bin/chfn = cap_chown,cap_setuid+ep # changes the user's login shell on /etc/passwd /usr/bin/chsh = cap_chown,cap_setuid+ep # checks if the user's password has expired and forces a password change in case it has /usr/bin/expiry = cap_dac_override,cap_setgid+ep # allows root and group administrators to set/change group passwords on /etc/gshadow /usr/bin/gpasswd = cap_chown,cap_dac_override,cap_setuid+ep # alows users to set their current group ID in case they know the group's password or are members of the group /usr/bin/newgrp = cap_dac_override,cap_setgid+ep # allows users to change their password on /etc/shadow /usr/bin/passwd = cap_chown,cap_dac_override,cap_fowner+ep # writes uid mappings on /proc/<pid>/uid_map /usr/bin/newuidmap = cap_setuid+ep # writes gid mappings on /proc/<pid>/guid_map /usr/bin/newgidmap = cap_setgid+ep