Posts by daandemeyer@mastodon.social
 (DIR) Post #B0L4MaqWQvh4xG6TJ2 by daandemeyer@mastodon.social
       2025-11-17T12:46:00Z
       
       2 likes, 2 repeats
       
       Let me be cheeky and preempt @pid_eins's systemd 259 mastodon posts:In systemd 259, I'm making it possible to run commands that need privileges as your current user instead of as root. With "run0 --empower", you'll get a session as your current user in which you can do anything that root would be able to do, without actually being root.This is extremely useful when you need to run something with privileges but still want all created files and directories to be owned by your current user.
       
 (DIR) Post #B0L4McW2E4Ui8IX8eO by daandemeyer@mastodon.social
       2025-11-17T12:47:53Z
       
       1 likes, 0 repeats
       
       I got inspired to implement this when I was playing around with bpftrace and systing and got annoyed that the files written by these tools were owned by root instead of my own user. Now I can run "run0 --empower bpftrace" and be sure that any written files are owned by own user instead of root.
       
 (DIR) Post #B0L4MeK3Va6HjiwbFw by daandemeyer@mastodon.social
       2025-11-17T13:55:38Z
       
       1 likes, 0 repeats
       
       @funkylab Instead of changing to root, we keep the current uid/gid and instead give it full ambient capabilities (https://man7.org/linux/man-pages/man7/capabilities.7.html). That's sufficient to pass all kernel privilege checks (disregarding LSMs). To pass polkit checks, we run the "run0 --empower" session with the new "empower" group as an auxiliary group and we ship a polkit rule to allow all actions for users in the "empower" group.Note that this won't work if a tool checks for uid 0 instead of capabilities.