Isn’t that exactly what passwd is? A system service that has permission to change the passwords file?

No, the point is that passwd should obtain its privilege by virtue of being started by a privileged process, not by virtue of being marked as a privileged program when it's run by an unprivileged user.

How do you start the privileged process as a normal user?

You don't. It's already started as part of the system. Or you ask some part of the system that is willing to authenticate you to do it for you.

Shhhhhhhhhh.

Stop giving systemd more ideas.

(/s)

(But seriously, imagine a world where you can't get root because D-Bus crashed.)

PolicyKit essentially already does this, and all of the systemd *ctl commands support authentication via polkit

TIL (so that's what the whole PolicyKit thing was all about).

Now I'm wondering what its worst case crash behavior is like.