From 3150c342705f4ac27f2b3299ac0961e7a70e4451 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 12 Nov 2025 14:05:54 +0100
Subject: [PATCH] run0: Never ask --empower sessions for polkit auth

A --empower session is effectively root without being UID 0, so it
doesn't make sense to enforce polkit authentication in those. Let's
add the empower group, add --empower sessions to that group and ship
a polkit rule to skip authentication for all users in the empower
group.

(As a side-effect this will also allow users to add themselves to this
group outside of 'run0 --empower' to mimick NOPASSWD from sudo)
---
 man/run0.xml             | 5 +++--
 meson.build              | 1 +
 meson_options.txt        | 2 ++
 src/run/empower.rules    | 8 ++++++++
 src/run/meson.build      | 5 +++++
 src/run/run.c            | 9 +++++++++
 sysusers.d/basic.conf.in | 3 ++-
 7 files changed, 30 insertions(+), 3 deletions(-)
 create mode 100644 src/run/empower.rules

diff --git a/man/run0.xml b/man/run0.xml
index ee2074b4ab..d44743620e 100644
--- a/man/run0.xml
+++ b/man/run0.xml
@@ -295,8 +295,9 @@
 
         <listitem><para>If specified, run0 will elevate the privileges of the selected user (using
         <option>--user=</option>) or the current user if no user is explicitly selected. Currently this means
-        we give the user all available capabilities, but other privileges may be granted in the future as
-        well when using this option.</para>
+        we give the invoked process all available capabilities and add the the <literal>empower</literal>
+        group as a supplemental group (for which all polkit actions are allowed by default), but other
+        privileges may be granted in the future as well when using this option.</para>
 
         <xi:include href="version-info.xml" xpointer="v259"/></listitem>
       </varlistentry>
diff --git a/meson.build b/meson.build
index c289d7f53a..f0b921879b 100644
--- a/meson.build
+++ b/meson.build
@@ -886,6 +886,7 @@ foreach option : ['adm-gid',
                   'clock-gid',
                   'dialout-gid',
                   'disk-gid',
+                  'empower-gid',
                   'input-gid',
                   'kmem-gid',
                   'kvm-gid',
diff --git a/meson_options.txt b/meson_options.txt
index d44030ef8b..3cc314eacd 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -295,6 +295,8 @@ option('dialout-gid', type : 'integer', value : 0,
        description : 'soft-static allocation for the "dialout" group')
 option('disk-gid', type : 'integer', value : 0,
        description : 'soft-static allocation for the "disk" group')
+option('empower-gid', type : 'integer', value : 0,
+       description : 'soft-static allocation for the "empower" group')
 option('input-gid', type : 'integer', value : 0,
        description : 'soft-static allocation for the "input" group')
 option('kmem-gid', type : 'integer', value : 0,
diff --git a/src/run/empower.rules b/src/run/empower.rules
new file mode 100644
index 0000000000..5966625080
--- /dev/null
+++ b/src/run/empower.rules
@@ -0,0 +1,8 @@
+// Allow all actions for users who are in the "empower" group. Users are added to the
+// "empower" group by running run0 --empower.
+
+polkit.addRule(function(action, subject) {
+    if (subject.isInGroup("empower")) {
+        return polkit.Result.YES;
+    }
+});
diff --git a/src/run/meson.build b/src/run/meson.build
index af9d7a04e1..832edcdbc4 100644
--- a/src/run/meson.build
+++ b/src/run/meson.build
@@ -18,3 +18,8 @@ custom_target(
         command : [jinja2_cmdline, '@INPUT@', '@OUTPUT@'],
         install : pamconfdir != 'no',
         install_dir : pamconfdir)
+
+if install_polkit
+        install_data('empower.rules',
+                     install_dir : polkitrulesdir)
+endif
diff --git a/src/run/run.c b/src/run/run.c
index 96fa46bd3a..9c79f99d11 100644
--- a/src/run/run.c
+++ b/src/run/run.c
@@ -1420,6 +1420,15 @@ static int transient_service_set_properties(sd_bus_message *m, const char *pty_p
                 r = sd_bus_message_append(m, "(sv)", "AmbientCapabilities", "t", CAP_MASK_ALL);
                 if (r < 0)
                         return bus_log_create_error(r);
+
+                r = getgrnam_malloc("empower", /* ret= */ NULL);
+                if (r < 0 && r != -ESRCH)
+                        return log_error_errno(r, "Failed to look up group 'empower' via NSS: %m");
+                if (r >= 0) {
+                        r = sd_bus_message_append(m, "(sv)", "SupplementaryGroups", "as", 1, "empower");
+                        if (r < 0)
+                                return bus_log_create_error(r);
+                }
         }
 
         if (arg_nice_set) {
diff --git a/sysusers.d/basic.conf.in b/sysusers.d/basic.conf.in
index 503a4c4dac..cf200fb14f 100644
--- a/sysusers.d/basic.conf.in
+++ b/sysusers.d/basic.conf.in
@@ -16,8 +16,9 @@ u! {{NOBODY_USER_NAME}} 65534:65534 "Kernel Overflow User"     -
 # Administrator group: can *see* more than normal users
 g adm     {{ADM_GID    }}     -            -
 
-# Administrator group: can *do* more than normal users
+# Administrator groups: can *do* more than normal users
 g wheel   {{WHEEL_GID  }}     -            -
+g empower {{EMPOWER_GID}}     -            -
 
 # Access to shared database of users on the system
 g utmp    {{UTMP_GID   }}     -            -