diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index 60126a829..3ff93385d 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -38,6 +38,7 @@ in
       "bridge-utils"  # for brctl; debug linux "bridge" inet devices
       "btrfs-progs"
       "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
+      "captree"
       "cryptsetup"
       "curl"
       "ddrescue"
@@ -818,8 +819,6 @@ in
 
     libcamera = {};
 
-    libcap.packageUnwrapped = pkgs.libcap-with-captree;
-    libcap.sandbox.enable = false;  #< for `capsh`, which i use as a sandboxer
     libcap_ng.sandbox.enable = false;  # there's something about /proc/$pid/fd which breaks `readlink`/stat with every sandbox technique (except capsh-only)
 
     libnotify.sandbox.method = "bwrap";
diff --git a/hosts/common/programs/capsh.nix b/hosts/common/programs/capsh.nix
new file mode 100644
index 000000000..cce82f80c
--- /dev/null
+++ b/hosts/common/programs/capsh.nix
@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  sane.programs.capsh = {
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.libcap "capsh";
+    sandbox.enable = false;  #< i use `capsh` as a sandboxer.
+  };
+}
diff --git a/hosts/common/programs/captree.nix b/hosts/common/programs/captree.nix
new file mode 100644
index 000000000..84be325f2
--- /dev/null
+++ b/hosts/common/programs/captree.nix
@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+{
+  sane.programs.captree = {
+    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.libcap-with-captree "captree";
+    sandbox.method = "bwrap";
+    sandbox.isolatePids = false;
+  };
+}
diff --git a/hosts/common/programs/default.nix b/hosts/common/programs/default.nix
index feb1e5059..0b0f8fc38 100644
--- a/hosts/common/programs/default.nix
+++ b/hosts/common/programs/default.nix
@@ -21,6 +21,8 @@
     ./callaudiod.nix
     ./calls.nix
     ./cantata.nix
+    ./capsh.nix
+    ./captree.nix
     ./catt.nix
     ./celeste64.nix
     ./chatty.nix
diff --git a/hosts/common/programs/sanebox.nix b/hosts/common/programs/sanebox.nix
index 34ef54d04..79ad61cd6 100644
--- a/hosts/common/programs/sanebox.nix
+++ b/hosts/common/programs/sanebox.nix
@@ -20,7 +20,7 @@ in
       bubblewrap = cfg.bubblewrap.package;
       iproute2 = cfg.iproute2.package;
       iptables = cfg.iptables.package;
-      libcap = cfg.libcap.package;
+      libcap = cfg.capsh.package;  #< the sandboxer doesn't use any other libcap binaries
       passt = cfg.passt.package;
       landlock-sandboxer = cfg.landlock-sandboxer.package;
       # landlock-sandboxer = pkgs.landlock-sandboxer.override {
diff --git a/modules/programs/default.nix b/modules/programs/default.nix
index 5b0f82fe7..a0eb360be 100644
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -480,11 +480,11 @@ let
       suggestedPrograms = lib.optionals (config.sandbox.method == "bwrap") [
         "bubblewrap" "passt" "iproute2" "iptables"
       ] ++ lib.optionals (config.sandbox.method == "landlock") [
-        "landlock-sandboxer" "libcap"
+        "landlock-sandboxer" "capsh"
       ] ++ lib.optionals (config.sandbox.method == "pastaonly") [
-        "passt" "iproute2" "iptables" "libcap"
+        "passt" "iproute2" "iptables" "capsh"
       ] ++ lib.optionals (config.sandbox.method == "capshonly") [
-        "libcap"
+        "capsh"
       ];
       # declare a fs dependency for each secret, but don't specify how to populate it yet.
       #   can't populate it here because it varies per-user.