Thankyou to @malcolmlewis for mentioning impending run0 adoption. This is the kind of useful feedback I had anticipated.
I haven’t tried this out yet, but the manpage gives me confidence:
- Authentication takes place via polkit
…
Any session invoked via run0 will run through the “systemd-run0” PAM stack.
Pretty sure this would ‘just work’ the way I have it already, and at worst would need something like what I wrote for su above.
I’ll read into run0 before I install it, it feels like I’d have a non-zero chance of locking out my accounts 
… Wait… I already have it 
And yeh it just works:
OpenSUSE packagers scoring Ws again.