On-demand privilege escalation via OS auth agents (polkit/osascript/UAC) with auto-expiry

Resolved 💬 2 comments Opened Feb 26, 2026 by darekh-pixel Closed Mar 27, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

When Claude needs elevated privileges (e.g. to install packages, write system files),
the typical workaround is adding the user to sudoers with NOPASSWD — which grants
permanent, passive root access. This is a poor security posture.

Claude Code also can't prompt for a sudo password (no TTY), so there's currently no
clean middle ground between "always elevated" and "restart in an elevated terminal."

Proposed Solution

A built-in mechanism where Claude can request temporary elevated access, the OS
handles authentication via its native agent, and access auto-expires.

Linux (polkit/pkexec): Claude calls pkexec <grant-script> → KDE/GNOME
password dialog appears → user authenticates → sudoers entry created with a
systemd transient timer that auto-revokes after N minutes (survives Claude crashes).

macOS: equivalent via osascript auth dialogs or authorizationdb
Windows: equivalent via UAC prompt

Security Properties

  • User-visible: a real OS dialog, not a text prompt Claude controls
  • Short-lived: configurable timeout (e.g. 15 min default)
  • Crash-safe: timer fires even if Claude exits unexpectedly
  • Principle of least privilege: no standing elevated access

Alternative Solutions

We implemented this manually on Linux using polkit + systemd-run:

  • pkexec /usr/local/bin/eyo-sudo-grant [minutes] → KDE dialog → timed sudo access
  • sudo /usr/local/bin/eyo-sudo-revoke → immediate revocation
  • systemd transient timer handles auto-revoke on crash

Works well. Would be a strong built-in for users who need occasional elevated ops
without permanently weakening their security posture.

Priority

Medium - Would be very helpful

Feature Category

CLI commands and flags

Use Case Example

1. Package installation
Claude is helping debug a missing dependency. It needs to run pacman -S or
apt install. Currently requires either NOPASSWD or the user to manually run
the command themselves. With this feature: Claude requests elevation, user
approves the popup, package installs, access revokes.

2. System file edits
Claude needs to edit /etc/hosts, a systemd service, or a config in /etc/.
Same friction today. Timed elevation lets Claude make the edit and immediately
give up root.

3. Service management
Restarting a system service (systemctl restart nginx) during a debugging
session. Currently blocked without standing sudo. One approval, one action,
auto-revoke.

4. Long agentic tasks
Claude is running a multi-step setup script that needs elevation at step 3 of 10.
With auto-expiry, the window of exposure is bounded — even if Claude hits a usage
limit mid-task or the session crashes, privileges lapse automatically.

5. Shared/family machines
A user runs Claude Code on a machine others also use. Permanent NOPASSWD is
unacceptable. On-demand elevation means they can still get the productivity
benefits without permanently lowering the security bar for everyone on the system

Additional Context

_No response_

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗