Comment # 2 on bug 1114383 from Fabian Vogt

In KDE4 days, kcheckpass was setuid root as can be seen in /etc/permissions:

# needs setuid root when using shadow via NIS:
# #66218
/opt/kde3/bin/kcheckpass                                root:shadow       4755
/usr/lib/kde4/libexec/kcheckpass                        root:shadow       4755
/usr/lib64/kde4/libexec/kcheckpass                      root:shadow       4755

This is not the case anymore, now kcheckpass is just a normal binary without
any special capabilities.

Manually adding suid/sgid permissions to a system binary is not something
accounted for in the package and it shouldn't need to be. Otherwise every
package shipping a binary would need to call %set_permissions.