pam_console should read the config files from /etc/security/console.perms.d/*.perms and ignore other files in /etc/security/console.perms.d (hint glob(3)) for backwards compatibility it should read /etc/security/console.perms also. first match wins, so if you have 10-local.perms 50-console.perms 70-otherlocal.perms 10-local.perms wins over 50-console.perms... hint use setlocale("C") to ensure reproducible sorting by e.g. glob(3)
10-local.perms wins over 50-console.perms, means "wins" only for the same regexp matches... if no match is found in 10-local.perms, 50-console.perms will be looked up of course.
Should we keep /etc/security/console.perms where it is, but symlink from /etc/security/console.perms.d/default.perms ../console.perms, then read *only* files in /etc/security/console.perms.d/*.perms? Just an idea, maybe bad. Adding FC4Blocker because this is simple to implement and vital functionality that we eventually need.
Then add a note to the default console.perms like "do not edit this file". Then make it no longer a %config file, so it gets wiped out with the default upon every upgrade.
Re comment #2 - I'd like to leave the console.perms file as it is and where it is - it really isn't a complication. OTOH reading only .perms files is surely desirable - to skip backups at least. Re comment #3 - I'm not sure if this is a good idea, because I don't know what would happen on upgrade from the current package with console.perms as %config when an user has modified console.perms file already. Would it leave there the .rpmsave file or not? If not we would erase settings of user who didn't know that we are changing the purpose of console.perms.
just let /etc/security/console.perms be where it is... no hassle..
*** Bug 135093 has been marked as a duplicate of this bug. ***
In response to Comment #4, at some point we need to allow console.perms to be overwritten by a new packaged version. People upgrading to a new distribution should expect some reconfiguration may be needed to get devices working again. People affected by this are very few compared to the real benefit that most people would gain by having an uneditable default console.perms. We might as well make that "new distribution" FC4.
I've changed console.perms to be %config and not %config(noreplace). It should be enough to fix the problem you mention and we don't drop the old settings completely.