@pid_eins yesss this is great, thank you. it would be really nice if NO_NEW_PRIVS was more widely used, and I think daemon-based sudo is a big step towards that...