The /usr/bin/asd program installed by dev-db/aerospike-server-community is owned by the "aerospike" user:
-rwxr-xr-x 1 aerospike aerospike 2.8M 2017-08-30 21:33 /usr/bin/asd
That's in root's PATH, and it could conceivably be run as root during testing or debugging. If that ever happens, it's trivial for the "aerospike" user to gain root. Instead, that executable should probably be root:root.
Is this a Gentoo specific issue? it may be good to report upstream about this.
Gentoo Security Padawan
The ebuild does,
fowners aerospike:aerospike /usr/bin/asd
so it's probably not upstream. If /usr/bin/asd is still owned by a non-root user after deleting that line, then we can blame upstream.
This should be a pretty easy issue to fix within two years =P
Package was treecleaned:
Author: Michał Górny <firstname.lastname@example.org>
Date: Tue Jan 19 09:37:19 2021 +0100
dev-db/aerospike-server-community: Remove last-rited pkg
Signed-off-by: Michał Górny <email@example.com>
All versions unstable so all done here.