Stuff in /sandbox should be owned by the cartridge and should probably be fully namespaced to avoid collisions in the future. If the user goes and changes stuff in /sandbox/ that means we can't make any assumptions about it when doing migrations and it might make migrations impossible in the future.
actually a follow up on this, /sandbox/zend/ is probably the correct namespace. We're deprecating the cartridge-version spacing in the new cartridge style. It should still be root owned though.
Currently, the /sandbox is owned by user. [zend-bmengdev.dev.rhcloud.com ~]\> ls -Zd /sandbox/ drwxrwxrwt. e46b1387514546769fb1e8e46b762033 root system_u:object_r:libra_tmp_t:s0:c0,c537 /sandbox/
Checked on latest devenv_2108, the /sandbox is still user owned. [zend-bmengdev.dev.rhcloud.com ~]\> ls -Zd /sandbox/ drwxrwxrwt. 804e89dd57d34b998941cf5e16e2ff71 root system_u:object_r:libra_tmp_t:s0:c0,c501 /sandbox/
Fixed with pull requests: https://github.com/openshift/crankcase/pull/452 https://github.com/openshift/li/pull/342 waiting for merge+test. /sandbox is root owned.
Checked on devenv_2114, issue has been fixed. /sandbox is root owned. [zend-bmengdev.dev.rhcloud.com ~]\> ls -Zd /sandbox/ drwxr-xr-t. root root unconfined_u:object_r:libra_tmp_t:s0:c0,c1001 /sandbox/