Out of interest, was there any discussion about using polkit here? If it is acceptable for snapd to (optionally) talk to D-Bus, then I think this would be possible and not interfere with the existing authentication system.
Here’s a quick sketch of how it could work:
- when incoming connections are made to the REST port, record the peer’s pid in the same way their uid is currently recorded.
- When processing a request, check the request headers for
Authorization: polkit. - If the request requires superuser privileges and polkit authorization has been requested, call polkitd’s
CheckAuthorizationD-Bus method with the peer’s pid and an action ID derived from the REST API request. If polkitd grants permission, allow the request to complete.
Connecting to the system bus could be delayed until this mode is requested, and it shouldn’t be too difficult to reconnect to the bus if it has been restarted since the last polkit request.