On Tue, Jan 23, 2024 at 07:07:01AM +0000, Stuart Henderson wrote:
> On 2024/01/22 21:55, Matthew Martin wrote:
> > The command to generate the cap db when login.conf.d is in use isn't
> > immediately obvious as login.conf.d takes precedence which then
> > necessitates the use of -f. Add example to login.conf.5 matching the
> > example without login.conf.d. Command courtesy of Sol?ne.
> 
> I strongly recommend against doing this. When a package is updated to
> a version with a different login.conf.d file, the old db file will
> override the newly updated text file, so the changes won't take effect.
> 

well, login.conf(5) says:

     Note that cap_mkdb(1) must be run after each edit of /etc/login.conf or
     the /etc/login.conf.d/${class} file to keep the database version in sync
     with the plain file.

so maybe we should be more active in not suggesting this route for
login.conf.d (if, as you say, it is not recommended).

jmc