Comment 44 for bug 1512002

Sebastien Bacher (seb128) wrote :

I just discussed that with Robert the current rule is

      <allow_any>auth_self</allow_any>
      <allow_inactive>auth_self</allow_inactive>
      <allow_active>yes</allow_active>

the "allow_any" doesn't override the other ones, but active/inactive apply to your local session when active/inactive, the any applies to non local session (e.g ssh case), so the patch fixed the issue with local locked session but not with ssh

letting any client do changes is relaxing a bit permissions but shouldn't be an issue since it only concerns non sensitive datas (locale, keyboard, etc), still I would like a security team comment before doing the change .... Marc, do you have an opinion there?