You can put "sandbox" in the FEATURES line of your make.conf.
Portage normally installs ebuilds in 4 stages:
unpack - unpack the source into /var/tmp/portage/packagenameandversion/work/
compile - configure and compile the source, still in that directory
install - go through the install stage, but install entirely into
merge - if all this works, transfer the files from image/ into user's
filesystem, but don't overwrite protected config files.
If you use the command "ebuild" you can step through this process stage
It's a big part of the gentoo philosophy that your filesystem should not
be touched until the last (merge) stage, but a lot of programs will
attempt to install outside of image/, even when the ebuild specifies
DESTDIR or uses other tricks. I was having this problem with pbbuttons,
since the Makefile has an extra script at the end to install the config
file, and it was determined to leave the confines of image/.
If you have sandbox turned on, emerge/ebuild will catch such violations
and stop the install; and usually alert you pretty clearly to what went
wrong. If you don't have it turned on, the install will probably
continue fine, but other things might go wrong. Amongst other things,
config files installed into /etc like this will overwrite older ones -
not a good thing.
It looks like it's turned off by default in the ppc profile, so I was
wondering if this was done for a reason - i.e. it's broken on ppc - or
if I'm the only one that's having a problem with it. If you want to try
it out, I don't think it will break anything permanently - if it freezes
portage, as it did for me, you just have to turn it off again. If it is
broken, that's a problem for ppc development - I'm OK because I can
double-check ebuilds on my PC, but we don't want to require that of
everyone writing ebuilds on a ppc.