run0: Never ask --empower sessions for polkit auth

A --empower session is effectively root without being UID 0, so it doesn't make sense to enforce polkit authentication in those. Let's add the empower group, add --empower sessions to that group and ship a polkit rule to skip authentication for all users in the empower group. (As a side-effect this will also allow users to add themselves to this group outside of 'run0 --empower' to mimick NOPASSWD from sudo)
2026-04-14 00:14:32 +09:00 · 2025-11-12 14:05:54 +01:00
parent d82d500b40
commit 3150c34270
7 changed files with 30 additions and 3 deletions
--- a/sysusers.d/basic.conf.in
+++ b/sysusers.d/basic.conf.in
@@ -16,8 +16,9 @@ u! {{NOBODY_USER_NAME}} 65534:65534 "Kernel Overflow User"     -
 # Administrator group: can *see* more than normal users
 g adm     {{ADM_GID    }}     -            -

-# Administrator group: can *do* more than normal users
+# Administrator groups: can *do* more than normal users
 g wheel   {{WHEEL_GID  }}     -            -
+g empower {{EMPOWER_GID}}     -            -

 # Access to shared database of users on the system
 g utmp    {{UTMP_GID   }}     -            -