core: add privesc package for privilege escalation

- Adds support for run0 and doas fixes #998
2026-04-17 19:22:04 -04:00 · 2026-04-16 13:02:46 -04:00
parent d7fb75f7f9
commit c6e8067a22
23 changed files with 780 additions and 432 deletions
--- a/core/internal/pam/pam.go
+++ b/core/internal/pam/pam.go
@@ -11,6 +11,7 @@ import (
 	"time"

 	"github.com/AvengeMedia/DankMaterialShell/core/internal/distros"
+	"github.com/AvengeMedia/DankMaterialShell/core/internal/privesc"
 )

 const (
@@ -80,16 +81,18 @@ type lockscreenPamResolver struct {

 func defaultSyncDeps() syncDeps {
 	return syncDeps{
-		pamDir:                             "/etc/pam.d",
-		greetdPath:                         GreetdPamPath,
-		dankshellPath:                      DankshellPamPath,
-		dankshellU2fPath:                   DankshellU2FPamPath,
-		isNixOS:                            IsNixOS,
-		readFile:                           os.ReadFile,
-		stat:                               os.Stat,
-		createTemp:                         os.CreateTemp,
-		removeFile:                         os.Remove,
-		runSudoCmd:                         runSudoCmd,
+		pamDir:           "/etc/pam.d",
+		greetdPath:       GreetdPamPath,
+		dankshellPath:    DankshellPamPath,
+		dankshellU2fPath: DankshellU2FPamPath,
+		isNixOS:          IsNixOS,
+		readFile:         os.ReadFile,
+		stat:             os.Stat,
+		createTemp:       os.CreateTemp,
+		removeFile:       os.Remove,
+		runSudoCmd: func(password, command string, args ...string) error {
+			return privesc.Run(context.Background(), password, append([]string{command}, args...)...)
+		},
 		pamModuleExists:                    pamModuleExists,
 		fingerprintAvailableForCurrentUser: FingerprintAuthAvailableForCurrentUser,
 	}
@@ -869,24 +872,3 @@ func fingerprintAuthAvailableForUser(username string) bool {
 	}
 	return hasEnrolledFingerprintOutput(string(out))
 }
-
-func runSudoCmd(sudoPassword string, command string, args ...string) error {
-	var cmd *exec.Cmd
-
-	if sudoPassword != "" {
-		fullArgs := append([]string{command}, args...)
-		quotedArgs := make([]string, len(fullArgs))
-		for i, arg := range fullArgs {
-			quotedArgs[i] = "'" + strings.ReplaceAll(arg, "'", "'\\''") + "'"
-		}
-		cmdStr := strings.Join(quotedArgs, " ")
-
-		cmd = distros.ExecSudoCommand(context.Background(), sudoPassword, cmdStr)
-	} else {
-		cmd = exec.Command("sudo", append([]string{command}, args...)...)
-	}
-
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	return cmd.Run()
-}