destroot phase does not confine process to destroot directory

[mohd-akram (Mohamed Akram)]

Currently, a portfile can write to anywhere outside the destroot directory in the destroot phase. This is problematic because a port might not have proper support for DESTDIR and might end up polluting directories outside its scope. It's also problematic to have this phase run as root which I imagine is not necessary in 99% of cases, and in cases where it might be necessary (eg. chown, chmod), that should be handled in a declarative manner ideally or at the very minimum be opt-in via destroot.asroot until that option is available.

[jmroot (Joshua Root)]

Sandboxing does prevent writing outside the workpath for commands run with system, though not for native Tcl commands the Portfile may run.