Re:Security concerns (Score 2)

It should be pointed out that Debian, at least, has a fakeroot command, which through LDPRELOAD makes it look like the user is root; as a result, tar etc. will set permissions correctly. This is commonly used when building Debian packages, and an equivalent could easily be written for all the other OSes, I believe (although I don't know BSD well enough to tell you whether the same trick will work).