I asked this in a thread about this from last night and didn't get a reply. For context, the way "run0" works is to apparently send a signal to polkit that requests a command under the root user's ID and permissions, thereby getting a privileged shell without SUID:
> How hard would it be to create a program to send a signal to polkit "impersonating" run0 and obtain a root shell without entering a password?
> How hard would it be to create a program to send a signal to polkit "impersonating" run0 and obtain a root shell without entering a password?
Anybody know how this is being authenticated?