Don't run launcher desktop as root (#1049)

ee/desktop/runner/runner_darwin.go

@@ -11,11 +11,6 @@ import (
 
 // For notifications to work, we must run in the user context with launchctl asuser.
 func runAsUser(uid string, cmd *exec.Cmd) error {
-	// Update command so that we're prepending `launchctl asuser $UID` to the launcher desktop command
-	cmd.Path = "/bin/launchctl"
-	updatedCmdArgs := append([]string{"/bin/launchctl", "asuser", uid}, cmd.Args...)
-	cmd.Args = updatedCmdArgs
-
 	// Ensure that we handle a non-root current user appropriately
 	currentUser, err := user.Current()
 	if err != nil {
@@ -27,6 +22,16 @@ func runAsUser(uid string, cmd *exec.Cmd) error {
 		return fmt.Errorf("looking up user with uid %s: %w", uid, err)
 	}
 
+	// Update command so that we're prepending `launchctl asuser $UID sudo --preserve-env -u $runningUser` to the launcher desktop command.
+	// We need to run with `launchctl asuser` in order to get the user context, which is required to be able to send notifications.
+	// We need `sudo -u $runningUser` to set the UID on the command correctly -- necessary for, among other things, correctly observing
+	// light vs dark mode.
+	// We need --preserve-env for sudo in order to avoid clearing SOCKET_PATH, AUTHTOKEN, etc that are necessary for the desktop
+	// process to run.
+	cmd.Path = "/bin/launchctl"
+	updatedCmdArgs := append([]string{"/bin/launchctl", "asuser", uid, "sudo", "--preserve-env", "-u", runningUser.Username}, cmd.Args...)
+	cmd.Args = updatedCmdArgs
+
 	// current user not root
 	if currentUser.Uid != "0" {
 		// if the user is running for itself, just run without setting credentials