the "allow_any" doesn't override the other ones, but active/inactive apply to your local session when active/inactive, the any applies to non local session (e.g ssh case), so the patch fixed the issue with local locked session but not with ssh
letting any client do changes is relaxing a bit permissions but shouldn't be an issue since it only concerns non sensitive datas (locale, keyboard, etc), still I would like a security team comment before doing the change .... Marc, do you have an opinion there?
I just discussed that with Robert the current rule is
< allow_any> auth_self< /allow_ any> allow_inactive> auth_self< /allow_ inactive> allow_active> yes</allow_ active>
<
<
the "allow_any" doesn't override the other ones, but active/inactive apply to your local session when active/inactive, the any applies to non local session (e.g ssh case), so the patch fixed the issue with local locked session but not with ssh
letting any client do changes is relaxing a bit permissions but shouldn't be an issue since it only concerns non sensitive datas (locale, keyboard, etc), still I would like a security team comment before doing the change .... Marc, do you have an opinion there?