Thanks for the refreshed v2 patches! I gave them a quick spin...

As noted on IRC, apparently it lacks actual calls to setcap, so that
part still needs another patch at least!

Otherwise, it did seem to more-or-less work...

There are compatibility symlinks from /run/setuid-programs to
/run/privledged/bin and it sets setuid on requested files.

I was a little curious about why /run/privlidged/bin as opposed to
without /bin ... keeping the door open for other privlidged things? What
about things that come from /gnu/store/*/sbin ? are those handled any
differently?

My only concern is... wow is it hard, even for a native speaker, to
spell privileged!

live well,
  vagrant