Instead of clobbering the entire file mode, just toggle the suid bit if
needed. In most cases this will result in a world-readable file.

Introduce the FCAPS_DENY_WORLD_READ setting for users who insist on
having their suid binaries unreadable.

Skip calling chown/chmod if the owner/mode is empty. This may be used by
ebuild authors in certain use cases.

Bug: https://bugs.gentoo.org/938164
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
---
eclass/fcaps.eclass | 35 ++++++++++++++++++++++++++---------
1 file changed, 26 insertions(+), 9 deletions(-)

diff --git a/eclass/fcaps.eclass b/eclass/fcaps.eclass
index 477e1e954ab8..5cb781a7a75d 100644
--- a/eclass/fcaps.eclass
+++ b/eclass/fcaps.eclass
@@ -1,4 +1,4 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

# @ECLASS: fcaps.eclass
@@ -66,6 +66,12 @@ esac
#
# Note: If you override pkg_postinst, you must call fcaps_pkg_postinst yourself.

+# @ECLASS_VARIABLE: FCAPS_DENY_WORLD_READ
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# When set, deny read access on files updated by the fcaps function.
+
# @FUNCTION: fcaps
# @USAGE: [-o <owner>] [-g <group>] [-m <mode>] [-M <caps mode>] <capabilities> <file[s]>
# @DESCRIPTION:
@@ -96,8 +102,13 @@ fcaps() {
# Process the user options first.
local owner='0'
local group='0'
- local mode='4711'
- local caps_m