run0, which behaves like sudo, but works entirely differently and is not SUID. Run0 asks the services manager to create a shell or command under the target user’s ID, creating a new PTY, sending data back and forth from the originating TTY and the new PTY.
Is that even a problem? Any program can shell out to sudo, hence why you shouldn't set NOPASSWD in sudoers. Polkit takes in a request on an unprivileged interface, that request is evaluated in privileged code against the set of privilege rules, and then passed the proper capabilities if the rules allow. This includes a mechanism where it can, if desired, prompt a user to enter a password etc to prevent a rogue program silently acquiring root. But even in the worst case, the rogue program is not going to acquire any capabilities that you would not otherwise have as with sudo, and the breakpoint between privileged and unprivileged code is (in theory) more tightly defined and controlled.
run0, which behaves like sudo, but works entirely differently and is not SUID. Run0 asks the services manager to create a shell or command under the target user’s ID, creating a new PTY, sending data back and forth from the originating TTY and the new PTY.