Privilege escalation mechanism

[rollcat]

Currently the privilege escalation story is quite poor:

• We can pretend we don't need to be another user on the remote machine (limits usefulness).

• We can SSH in directly as root (bad idea, don't do this).

• We can SSH in as a regular user that has password-less sudo/doas, and ask the user either to re-exec the script if UID is not 0, or prefix each privileged command with sudo/doas.

  This is cumbersome, requires boilerplate, also not ideal if you prefer to have a sudo/doas password in interactive sessions (such as when you're managing a machine that also serves as a workstation).

  Some people would argue this is equivalent to SSH'ing in directly as root, but at least with remote syslog or chflags+securelevel you can get an audit trail. So this is what we currently recommend.

Some bad ideas to improve upon this:

• We could pretend to be typing into the sudo password prompt, which sounds very brittle and probably can do a lot of harm. It also opens the question of storing the passwords securely on the controller.
• We could auto-install a setuid helper on the remote host, in some "bootstrap phase". This breaks the promise of not requiring any clientside components, so perhaps it can be opt-in. Probably should be a separate project. Also sounds like a rootkit.