Comment 32 for bug 369575

Happy to give it a try, Steve. I just commented in that bug report.

This is a potential solution, but putting aside the tricky case of "what happens if the common-* files have customized options, and then the PAM profile changes?", another problem with this approach is the fragility of the customization. If you deselect the module, update, then reselect it, and update... the customized module options are gone without a trace. There's no way to get them back, other than making the same edit to the common-* files again. The only real way to safeguard such customizations is to revert the files to manually-edited mode.

I'm not terribly comfortable with the way the "statefulness" works with this approach, either. The PAM configuration is not just a vector of bits indicating enabled/disabled profiles, but also whatever customizations have been made in the common-* files. If I'm not aware of what these customizations are, then I have no good way of knowing if my PAM config is just that vector, or if there's something more to it. There's no mechanism to tell me "here are all the module options that are different from what's in the profiles."