> PAM is indeed a minefield.

I'd not label it such, but as "critical infrastructure". The problem in your case actually was not in PAM but in pacman. For example, apt and yum/dnf checks whether the checksum of the file being changed is different from the original (provided by the package). In standard configuration, apt asks what to do, dnf just puts the file with .rpmnew extension to prevent these kinds of problems.

pacman's "I don't care, this is the new file and I overwrite what I see" is very dangerous behavior.

▲

sudahtigabulan 3 hours ago | parent | next [-]

Pacman does check for changes in configuration files, and adds .pacnew files instead of overwriting them:

https://wiki.archlinux.org/title/Pacman/Pacnew_and_Pacsave

▲

busterarm an hour ago | parent | prev | next [-]

Even configuring PAM to get what I wanted to begin with was somewhat of an ordeal and took a few tries where I locked myself out of the system as I was building it before I eventually got it right.

Also my problem wasn't really pacman either. It was full disk encryption.

	▲	bayindirh an hour ago \| parent [-]
		Understanding how PAM works is a source of confusion, and the documentation is almost non-existent and tribal. That part is very true. But, after understanding it once, I found the process very intuitive and logical, to be honest.

▲

SSLy 3 hours ago | parent | prev [-]

pacman puts `.pacnew` files just like RPM does.