PAM is indeed a minefield.

A while back I lost a system because I had it configured with full disk encryption and pam_usb for totp-enhanced logins. A bugged update that I applied via pacman broke PAM and I lost my ability to login. This would have been just annoying and not catastrophic had I not also had FDE and forgotten where I stored my LUKS key.

Lesson learned.

▲

bayindirh 3 hours ago | parent [-]

> PAM is indeed a minefield.

I'd not label it such, but as "critical infrastructure". The problem in your case actually was not in PAM but in pacman. For example, apt and yum/dnf checks whether the checksum of the file being changed is different from the original (provided by the package). In standard configuration, apt asks what to do, dnf just puts the file with .rpmnew extension to prevent these kinds of problems.

pacman's "I don't care, this is the new file and I overwrite what I see" is very dangerous behavior.

▲

sudahtigabulan 3 hours ago | parent | next [-]

Pacman does check for changes in configuration files, and adds .pacnew files instead of overwriting them:

https://wiki.archlinux.org/title/Pacman/Pacnew_and_Pacsave

▲

busterarm an hour ago | parent | prev | next [-]

Even configuring PAM to get what I wanted to begin with was somewhat of an ordeal and took a few tries where I locked myself out of the system as I was building it before I eventually got it right.

Also my problem wasn't really pacman either. It was full disk encryption.

	▲	bayindirh an hour ago \| parent [-]
		Understanding how PAM works is a source of confusion, and the documentation is almost non-existent and tribal. That part is very true. But, after understanding it once, I found the process very intuitive and logical, to be honest.

▲

SSLy 3 hours ago | parent | prev [-]

pacman puts `.pacnew` files just like RPM does.