Bug: The capability CAP_WAKE_ALARM should be whitelisted.

[Robert Woods <robert.woods@use.startmail.com>]

Hello,

Since a recent update of my ArchLinux, I noticed that zsh consider my
user account as privileged and display the sharp symbol (#) instead of
the percent (%) symbol.

The issue was triggered by the systemd update v254 from July 28, 2023.
But let me explain the details first:
1) I noticed that the zsh package in ArchLinux is built with
    the option '--enable-cap'[1]
2) I noticed that the function 'privasserted' that checks if the
    current user is privileged or not, uses the linux capability[2]. If
    there is some effective capability sets, it considers the users as
    privileged.
3) I reproduced the function 'privasserted' on a toy C example to check
    the issue, and I noticed that 'CAP_WAKE_ALARM' was enabled. First I
    thought this issue was coming from a config error on my system, but
    then I figured that this capability was directly inherited from my
    "desktop manager" xlogin[3]. (It is not exactly a desktop manager
    since it is very lightweight, but you get the idea).
4) Since xlogin is simply a systemctl config to start my Xorg session
    I checked the last release of systemd, and sure thing, the release
    note of v254 (July 28, 2023) explains the origin of this issue[4].

Section "Security Relevant Changes" of the release v254 of systemd[4]:
 > pam_systemd will now by default pass the CAP_WAKE_ALARM ambient
 > process capability to invoked session processes of regular users on
 > local seats (as well as to systemd --user), unless configured
 > otherwise [...]. This is useful in order allow desktop tools such as
 > GNOME's Alarm Clock application to set a timer for
 > LOCK_REALTIME_ALARM that wakes up the system when it elapses. [...].
 > Note that this capability is relatively narrow in focus (in
 > particular compared to other process capabilities such as
 > CAP_SYS_ADMIN) and we already — by default — permit more impactful
 > operations such as system suspend to local users.

This change was made by Lennart Poettering himself in a GitHub PR[5].

My thoughts on that:
* Since systemd is widely use, I expect this issue to become a real
   one: users will not understand why they are considered as privileged
   on zsh.
* I understand the rationale of using the capabilities to check if a
   user is privileged or not, however, I think some capabilities should
   be whitelisted like CAP_WAKE_ALARM since it is not very harmful.
* Even if systemd was not allowing CAP_WAKE_ALARM by default, some
   desktop manager would still enable it in their systemctl config
   anyway. So it doesn't change my previous point in my opinion.

I hope my bug report is clear enough. I would like to take this
opportunity to thank you for all the work you guys are doing on zsh!

Kind regards,

Footnotes:
[1] 
https://gitlab.archlinux.org/archlinux/packaging/packages/zsh/-/blob/main/PKGBUILD#L74
[2] https://github.com/zsh-users/zsh/blob/zsh-5.9/Src/utils.c#L7522
[3] https://github.com/joukewitteveen/xlogin
[4] https://github.com/systemd/systemd/releases/tag/v254
[5] https://github.com/systemd/systemd/pull/26548

-- 
Roberts Woods