sys-libs/pam: Make /sbin/unix_chkpwd suid

This is to avoid importing fcaps eclass which adds a dependency on
sys-libs/libcap, which in turn depends on sys-libs/pam. To get out of
this conundrum, we could specify a "-filecaps" use flag for
sys-libs/pam. Problem with this solution would be no capability
override for the binary making it unable to read /etc/shadow. Thus we
make the binary suid. This is strictly less secure than overriding its
capabilities, but I have no idea how to solve it in a less hacky way.

sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1.ebuild

@@ -9,7 +9,7 @@ EAPI=7
 
 MY_P="Linux-${PN^^}-${PV}"
 
-inherit autotools db-use fcaps toolchain-funcs multilib-minimal
+inherit autotools db-use toolchain-funcs multilib-minimal
 
 DESCRIPTION="Linux-PAM (Pluggable Authentication Modules)"
 HOMEPAGE="https://github.com/linux-pam/linux-pam"
@@ -100,6 +100,12 @@ multilib_src_install() {
 multilib_src_install_all() {
 	find "${ED}" -type f -name '*.la' -delete || die
 
+	# Flatcar: The pam_unix module needs to check the password of
+	# the user which requires read access to /etc/shadow
+	# only. Make it suid instead of using CAP_DAC_OVERRIDE to
+	# avoid a pam -> libcap -> pam dependency loop.
+	fperms 4711 /sbin/unix_chkpwd
+
 	# tmpfiles.eclass is impossible to use because
 	# there is the pam -> tmpfiles -> systemd -> pam dependency loop
 
@@ -132,8 +138,4 @@ pkg_postinst() {
 	ewarn "  lsof / | egrep -i 'del.*libpam\\.so'"
 	ewarn ""
 	ewarn "Alternatively, simply reboot your system."
-
-	# The pam_unix module needs to check the password of the user which requires
-	# read access to /etc/shadow only.
-	fcaps cap_dac_override sbin/unix_chkpwd
 }