# Copyright (c) 2008, 2009 Edward Tomasz NapieraƂa # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD: head/tests/sys/acl/tools-nfs4.test 288314 2015-09-27 23:33:54Z ngie $ # # This is a tools-level test for NFSv4 ACL functionality. Run it as root # using ACL-enabled kernel: # # /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test # # WARNING: Creates files in unsafe way. $ whoami > root $ umask 022 # Smoke test for getfacl(1). $ touch xxx $ getfacl xxx > # file: xxx > # owner: root > # group: wheel > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow $ getfacl -q xxx > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow # Check verbose mode formatting. $ getfacl -v xxx > # file: xxx > # owner: root > # group: wheel > owner@:execute::deny > owner@:read_data/write_data/append_data/write_attributes/write_xattr/write_acl/write_owner::allow > group@:write_data/execute/append_data::deny > group@:read_data::allow > everyone@:write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::deny > everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow # Test setfacl -a. $ setfacl -a2 u:0:write_acl:allow,g:1:read_acl:deny xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > user:0:-----------C--:-------:allow > group:1:----------c---:-------:deny > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow # Test user and group name resolving. $ rm xxx $ touch xxx $ setfacl -a2 u:root:write_acl:allow,g:daemon:read_acl:deny xxx $ getfacl xxx > # file: xxx > # owner: root > # group: wheel > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > user:root:-----------C--:-------:allow > group:daemon:----------c---:-------:deny > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow # Check whether ls correctly marks files with "+". $ ls -l xxx | cut -d' ' -f1 > -rw-r--r--+ # Test removing entries by number. $ setfacl -x 4 xxx $ setfacl -x 4 xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > user:0:-----------C--:-------:allow > group:1:----------c---:-------:deny > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow # Test setfacl -m. $ setfacl -a0 everyone@:rwx:deny xxx $ setfacl -a0 everyone@:rwx:deny xxx $ setfacl -a0 everyone@:rwx:deny xxx $ setfacl -m everyone@::deny xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > everyone@:--------------:-------:deny > everyone@:--------------:-------:deny > everyone@:--------------:-------:deny > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > user:0:-----------C--:-------:allow > group:1:----------c---:-------:deny > everyone@:--------------:-------:deny > everyone@:r-----a-R-c--s:-------:allow # Test getfacl -i. $ getfacl -i xxx > # file: xxx > # owner: root > # group: wheel > everyone@:--------------:-------:deny > everyone@:--------------:-------:deny > everyone@:--------------:-------:deny > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > user:root:-----------C--:-------:allow:0 > group:daemon:----------c---:-------:deny:1 > everyone@:--------------:-------:deny > everyone@:r-----a-R-c--s:-------:allow # Make sure cp without any flags does not copy copy the ACL. $ cp xxx yyy $ ls -l yyy | cut -d' ' -f1 > -rw-r--r-- # Make sure it does with the "-p" flag. $ rm yyy $ cp -p xxx yyy $ getfacl -n yyy > # file: yyy > # owner: root > # group: wheel > everyone@:--------------:-------:deny > everyone@:--------------:-------:deny > everyone@:--------------:-------:deny > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > user:0:-----------C--:-------:allow > group:1:----------c---:-------:deny > everyone@:--------------:-------:deny > everyone@:r-----a-R-c--s:-------:allow $ rm yyy # Test removing entries by... by example? $ setfacl -x everyone@::deny xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > user:0:-----------C--:-------:allow > group:1:----------c---:-------:deny > everyone@:r-----a-R-c--s:-------:allow # Test setfacl -b. $ setfacl -b xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow $ ls -l xxx | cut -d' ' -f1 > -rw-r--r-- # Check setfacl(1) and getfacl(1) with multiple files. $ touch xxx yyy zzz $ ls -l xxx yyy zzz | cut -d' ' -f1 > -rw-r--r-- > -rw-r--r-- > -rw-r--r-- $ setfacl -m u:42:x:allow,g:43:w:allow nnn xxx yyy zzz > setfacl: nnn: stat() failed: No such file or directory $ ls -l nnn xxx yyy zzz | cut -d' ' -f1 > ls: nnn: No such file or directory > -rw-r--r--+ > -rw-r--r--+ > -rw-r--r--+ $ getfacl -nq nnn xxx yyy zzz > getfacl: nnn: stat() failed: No such file or directory > user:42:--x-----------:-------:allow > group:43:-w------------:-------:allow > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow > > user:42:--x-----------:-------:allow > group:43:-w------------:-------:allow > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow > > user:42:--x-----------:-------:allow > group:43:-w------------:-------:allow > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow $ setfacl -b nnn xxx yyy zzz > setfacl: nnn: stat() failed: No such file or directory $ ls -l nnn xxx yyy zzz | cut -d' ' -f1 > ls: nnn: No such file or directory > -rw-r--r-- > -rw-r--r-- > -rw-r--r-- $ rm xxx yyy zzz # Test applying mode to an ACL. $ touch xxx $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow -x everyone@::allow xxx $ chmod 600 xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > user:42:r-------------:-------:deny > user:42:r-------------:-------:allow > user:43:-w------------:-------:deny > user:43:-w------------:-------:allow > user:44:--x-----------:-------:deny > user:44:--x-----------:-------:allow > owner@:--------------:-------:deny > owner@:-------A-W-Co-:-------:allow > group@:--------------:-------:deny > group@:--------------:-------:allow > everyone@:-------A-W-Co-:-------:deny > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:rwxp----------:-------:deny > group@:--------------:-------:allow > everyone@:rwxp---A-W-Co-:-------:deny > everyone@:------a-R-c--s:-------:allow $ ls -l xxx | cut -d' ' -f1 > -rw-------+ $ rm xxx $ touch xxx $ chown 42 xxx $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx $ chmod 600 xxx $ getfacl -n xxx > # file: xxx > # owner: 42 > # group: wheel > user:42:--------------:-------:deny > user:42:r-------------:-------:allow > user:43:-w------------:-------:deny > user:43:-w------------:-------:allow > user:44:--x-----------:-------:deny > user:44:--x-----------:-------:allow > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:rwxp----------:-------:deny > group@:--------------:-------:allow > everyone@:rwxp---A-W-Co-:-------:deny > everyone@:------a-R-c--s:-------:allow $ ls -l xxx | cut -d' ' -f1 > -rw-------+ $ rm xxx $ touch xxx $ chown 43 xxx $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx $ chmod 124 xxx $ getfacl -n xxx > # file: xxx > # owner: 43 > # group: wheel > user:42:r-------------:-------:deny > user:42:r-------------:-------:allow > user:43:-w------------:-------:deny > user:43:-w------------:-------:allow > user:44:--x-----------:-------:deny > user:44:--x-----------:-------:allow > owner@:rw-p----------:-------:deny > owner@:--x----A-W-Co-:-------:allow > group@:r-x-----------:-------:deny > group@:-w-p----------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow $ ls -l xxx | cut -d' ' -f1 > ---x-w-r--+ $ rm xxx $ touch xxx $ chown 43 xxx $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx $ chmod 412 xxx $ getfacl -n xxx > # file: xxx > # owner: 43 > # group: wheel > user:42:r-------------:-------:deny > user:42:r-------------:-------:allow > user:43:-w------------:-------:deny > user:43:-w------------:-------:allow > user:44:--------------:-------:deny > user:44:--x-----------:-------:allow > owner@:-wxp----------:-------:deny > owner@:r------A-W-Co-:-------:allow > group@:rw-p----------:-------:deny > group@:--x-----------:-------:allow > everyone@:r-x----A-W-Co-:-------:deny > everyone@:-w-p--a-R-c--s:-------:allow $ ls -l xxx | cut -d' ' -f1 > -r----x-w-+ $ mkdir ddd $ setfacl -a0 group:44:rwapd:allow ddd $ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd $ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd $ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd $ getfacl -n ddd > # file: ddd > # owner: root > # group: wheel > user:42:r-x-----------:f-i----:allow > group:42:-w--D---------:-d-----:allow > group:43:-w--D---------:-d-----:deny > group@:-----da-------:-------:allow > group:44:rw-p-da-------:-------:allow > owner@:--------------:-------:deny > owner@:rwxp---A-W-Co-:-------:allow > group@:-w-p----------:-------:deny > group@:r-x-----------:-------:allow > everyone@:-w-p---A-W-Co-:-------:deny > everyone@:-w-p--a-R-c--s:f-i----:allow $ chmod 777 ddd $ getfacl -n ddd > # file: ddd > # owner: root > # group: wheel > user:42:r-x-----------:f-i----:allow > group:42:-w--D---------:-di----:allow > group:42:--------------:-------:deny > group:42:-w--D---------:-------:allow > group:43:-w--D---------:-di----:deny > group:43:-w--D---------:-------:deny > group@:-----da-------:-------:allow > group:44:--------------:-------:deny > group:44:rw-p-da-------:-------:allow > owner@:--------------:-------:deny > owner@:-------A-W-Co-:-------:allow > group@:--------------:-------:deny > group@:--------------:-------:allow > everyone@:-------A-W-Co-:-------:deny > everyone@:-w-p--a-R-c--s:f-i----:allow > owner@:--------------:-------:deny > owner@:rwxp---A-W-Co-:-------:allow > group@:--------------:-------:deny > group@:rwxp----------:-------:allow > everyone@:-------A-W-Co-:-------:deny > everyone@:rwxp--a-R-c--s:-------:allow $ rmdir ddd $ mkdir ddd $ setfacl -a0 group:44:rwapd:allow ddd $ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd $ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd $ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd $ chmod 124 ddd $ getfacl -n ddd > # file: ddd > # owner: root > # group: wheel > user:42:r-x-----------:f-i----:allow > group:42:-w--D---------:-di----:allow > group:42:--------------:-------:deny > group:42:----D---------:-------:allow > group:43:-w--D---------:-di----:deny > group:43:-w--D---------:-------:deny > group@:-----da-------:-------:allow > group:44:r-------------:-------:deny > group:44:r----da-------:-------:allow > owner@:--------------:-------:deny > owner@:-------A-W-Co-:-------:allow > group@:--------------:-------:deny > group@:--------------:-------:allow > everyone@:-------A-W-Co-:-------:deny > everyone@:-w-p--a-R-c--s:f-i----:allow > owner@:rw-p----------:-------:deny > owner@:--x----A-W-Co-:-------:allow > group@:r-x-----------:-------:deny > group@:-w-p----------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow $ rmdir ddd $ mkdir ddd $ setfacl -a0 group:44:rwapd:allow ddd $ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd $ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd $ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd $ chmod 412 ddd $ getfacl -n ddd > # file: ddd > # owner: root > # group: wheel > user:42:r-------------:-------:deny > user:42:r-x-----------:-------:allow > user:42:r-x-----------:f-i----:allow > group:42:-w--D---------:-di----:allow > group:42:-w------------:-------:deny > group:42:-w--D---------:-------:allow > group:43:-w--D---------:-di----:deny > group:43:-w--D---------:-------:deny > group@:-----da-------:-------:allow > group:44:rw-p----------:-------:deny > group:44:rw-p-da-------:-------:allow > owner@:--------------:-------:deny > owner@:-------A-W-Co-:-------:allow > group@:--------------:-------:deny > group@:--------------:-------:allow > everyone@:-------A-W-Co-:-------:deny > everyone@:-w-p--a-R-c--s:f-i----:allow > owner@:-wxp----------:-------:deny > owner@:r------A-W-Co-:-------:allow > group@:rw-p----------:-------:deny > group@:--x-----------:-------:allow > everyone@:r-x----A-W-Co-:-------:deny > everyone@:-w-p--a-R-c--s:-------:allow $ rmdir ddd $ mkdir ddd $ setfacl -a0 group:44:rwapd:allow ddd $ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd $ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd $ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd $ chown 42 ddd $ chmod 412 ddd $ getfacl -n ddd > # file: ddd > # owner: 42 > # group: wheel > user:42:--x-----------:-------:deny > user:42:r-x-----------:-------:allow > user:42:r-x-----------:f-i----:allow > group:42:-w--D---------:-di----:allow > group:42:-w------------:-------:deny > group:42:-w--D---------:-------:allow > group:43:-w--D---------:-di----:deny > group:43:-w--D---------:-------:deny > group@:-----da-------:-------:allow > group:44:rw-p----------:-------:deny > group:44:rw-p-da-------:-------:allow > owner@:--------------:-------:deny > owner@:-------A-W-Co-:-------:allow > group@:--------------:-------:deny > group@:--------------:-------:allow > everyone@:-------A-W-Co-:-------:deny > everyone@:-w-p--a-R-c--s:f-i----:allow > owner@:-wxp----------:-------:deny > owner@:r------A-W-Co-:-------:allow > group@:rw-p----------:-------:deny > group@:--x-----------:-------:allow > everyone@:r-x----A-W-Co-:-------:deny > everyone@:-w-p--a-R-c--s:-------:allow # Test applying ACL to mode. $ rmdir ddd $ mkdir ddd $ setfacl -a0 u:42:rwx:fi:allow ddd $ ls -ld ddd | cut -d' ' -f1 > drwxr-xr-x+ $ rmdir ddd $ mkdir ddd $ chmod 0 ddd $ setfacl -a0 owner@:r:allow,group@:w:deny,group@:wx:allow ddd $ ls -ld ddd | cut -d' ' -f1 > dr----x---+ $ rmdir ddd $ mkdir ddd $ chmod 0 ddd $ setfacl -a0 owner@:r:allow,group@:w:fi:deny,group@:wx:allow ddd $ ls -ld ddd | cut -d' ' -f1 > dr---wx---+ $ rmdir ddd $ mkdir ddd $ chmod 0 ddd $ setfacl -a0 owner@:r:allow,group:43:w:deny,group:43:wx:allow ddd $ ls -ld ddd | cut -d' ' -f1 > dr--------+ $ rmdir ddd $ mkdir ddd $ chmod 0 ddd $ setfacl -a0 owner@:r:allow,user:43:w:deny,user:43:wx:allow ddd $ ls -ld ddd | cut -d' ' -f1 > dr--------+ # Test inheritance. $ rmdir ddd $ mkdir ddd $ setfacl -a0 group:43:write_data/write_acl:fin:deny,u:43:rwxp:allow ddd $ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:dn:deny ddd $ setfacl -a0 user:42:write_acl/write_owner:fi:allow ddd $ setfacl -a0 group:41:read_data/read_attributes:dni:allow ddd $ setfacl -a0 user:41:write_data/write_attributes:fn:allow ddd $ getfacl -qn ddd > user:41:-w-----A------:f--n---:allow > group:41:r-----a-------:-din---:allow > user:42:-----------Co-:f-i----:allow > user:42:r-x-----------:f-i----:allow > group:42:-w--D---------:-d-n---:deny > group:43:-w---------C--:f-in---:deny > user:43:rwxp----------:-------:allow > owner@:--------------:-------:deny > owner@:rwxp---A-W-Co-:-------:allow > group@:-w-p----------:-------:deny > group@:r-x-----------:-------:allow > everyone@:-w-p---A-W-Co-:-------:deny > everyone@:r-x---a-R-c--s:-------:allow $ cd ddd $ touch xxx $ getfacl -qn xxx > user:41:-w------------:-------:deny > user:41:-w-----A------:-------:allow > user:42:--------------:-------:deny > user:42:--------------:-------:allow > user:42:--x-----------:-------:deny > user:42:r-x-----------:-------:allow > group:43:-w---------C--:-------:deny > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow $ rm xxx $ umask 077 $ touch xxx $ getfacl -qn xxx > user:41:-w------------:-------:deny > user:41:-w-----A------:-------:allow > user:42:--------------:-------:deny > user:42:--------------:-------:allow > user:42:r-x-----------:-------:deny > user:42:r-x-----------:-------:allow > group:43:-w---------C--:-------:deny > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:rwxp----------:-------:deny > group@:--------------:-------:allow > everyone@:rwxp---A-W-Co-:-------:deny > everyone@:------a-R-c--s:-------:allow $ rm xxx $ umask 770 $ touch xxx $ getfacl -qn xxx > user:41:-w------------:-------:deny > user:41:-w-----A------:-------:allow > user:42:--------------:-------:deny > user:42:--------------:-------:allow > user:42:r-x-----------:-------:deny > user:42:r-x-----------:-------:allow > group:43:-w---------C--:-------:deny > owner@:rwxp----------:-------:deny > owner@:-------A-W-Co-:-------:allow > group@:rwxp----------:-------:deny > group@:--------------:-------:allow > everyone@:--x----A-W-Co-:-------:deny > everyone@:rw-p--a-R-c--s:-------:allow $ rm xxx $ umask 707 $ touch xxx $ getfacl -qn xxx > user:41:--------------:-------:deny > user:41:-w-----A------:-------:allow > user:42:--------------:-------:deny > user:42:--------------:-------:allow > user:42:--x-----------:-------:deny > user:42:r-x-----------:-------:allow > group:43:-w---------C--:-------:deny > owner@:rwxp----------:-------:deny > owner@:-------A-W-Co-:-------:allow > group@:--x-----------:-------:deny > group@:rw-p----------:-------:allow > everyone@:rwxp---A-W-Co-:-------:deny > everyone@:------a-R-c--s:-------:allow $ umask 077 $ mkdir yyy $ getfacl -qn yyy > group:41:r-------------:-------:deny > group:41:r-----a-------:-------:allow > user:42:-----------Co-:f-i----:allow > user:42:r-x-----------:f-i----:allow > group:42:-w--D---------:-------:deny > owner@:--------------:-------:deny > owner@:rwxp---A-W-Co-:-------:allow > group@:rwxp----------:-------:deny > group@:--------------:-------:allow > everyone@:rwxp---A-W-Co-:-------:deny > everyone@:------a-R-c--s:-------:allow $ rmdir yyy $ umask 770 $ mkdir yyy $ getfacl -qn yyy > group:41:r-------------:-------:deny > group:41:r-----a-------:-------:allow > user:42:-----------Co-:f-i----:allow > user:42:r-x-----------:f-i----:allow > group:42:-w--D---------:-------:deny > owner@:rwxp----------:-------:deny > owner@:-------A-W-Co-:-------:allow > group@:rwxp----------:-------:deny > group@:--------------:-------:allow > everyone@:-------A-W-Co-:-------:deny > everyone@:rwxp--a-R-c--s:-------:allow $ rmdir yyy $ umask 707 $ mkdir yyy $ getfacl -qn yyy > group:41:--------------:-------:deny > group:41:------a-------:-------:allow > user:42:-----------Co-:f-i----:allow > user:42:r-x-----------:f-i----:allow > group:42:-w--D---------:-------:deny > owner@:rwxp----------:-------:deny > owner@:-------A-W-Co-:-------:allow > group@:--------------:-------:deny > group@:rwxp----------:-------:allow > everyone@:rwxp---A-W-Co-:-------:deny > everyone@:------a-R-c--s:-------:allow # There is some complication regarding how write_acl and write_owner flags # get inherited. Make sure we got it right. $ setfacl -b . $ setfacl -a0 u:42:Co:f:allow . $ setfacl -a0 u:43:Co:d:allow . $ setfacl -a0 u:44:Co:fd:allow . $ setfacl -a0 u:45:Co:fi:allow . $ setfacl -a0 u:46:Co:di:allow . $ setfacl -a0 u:47:Co:fdi:allow . $ setfacl -a0 u:48:Co:fn:allow . $ setfacl -a0 u:49:Co:dn:allow . $ setfacl -a0 u:50:Co:fdn:allow . $ setfacl -a0 u:51:Co:fni:allow . $ setfacl -a0 u:52:Co:dni:allow . $ setfacl -a0 u:53:Co:fdni:allow . $ umask 022 $ rm xxx $ touch xxx $ getfacl -nq xxx > user:53:--------------:-------:deny > user:53:--------------:-------:allow > user:51:--------------:-------:deny > user:51:--------------:-------:allow > user:50:--------------:-------:deny > user:50:--------------:-------:allow > user:48:--------------:-------:deny > user:48:--------------:-------:allow > user:47:--------------:-------:deny > user:47:--------------:-------:allow > user:45:--------------:-------:deny > user:45:--------------:-------:allow > user:44:--------------:-------:deny > user:44:--------------:-------:allow > user:42:--------------:-------:deny > user:42:--------------:-------:allow > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow $ rmdir yyy $ mkdir yyy $ getfacl -nq yyy > user:53:--------------:-------:deny > user:53:--------------:-------:allow > user:52:--------------:-------:deny > user:52:--------------:-------:allow > user:50:--------------:-------:deny > user:50:--------------:-------:allow > user:49:--------------:-------:deny > user:49:--------------:-------:allow > user:47:-----------Co-:fdi----:allow > user:47:--------------:-------:deny > user:47:--------------:-------:allow > user:46:-----------Co-:-di----:allow > user:46:--------------:-------:deny > user:46:--------------:-------:allow > user:45:-----------Co-:f-i----:allow > user:44:-----------Co-:fdi----:allow > user:44:--------------:-------:deny > user:44:--------------:-------:allow > user:43:-----------Co-:-di----:allow > user:43:--------------:-------:deny > user:43:--------------:-------:allow > user:42:-----------Co-:f-i----:allow > owner@:--------------:-------:deny > owner@:rwxp---A-W-Co-:-------:allow > group@:-w-p----------:-------:deny > group@:r-x-----------:-------:allow > everyone@:-w-p---A-W-Co-:-------:deny > everyone@:r-x---a-R-c--s:-------:allow $ setfacl -b . $ setfacl -a0 u:42:Co:f:deny . $ setfacl -a0 u:43:Co:d:deny . $ setfacl -a0 u:44:Co:fd:deny . $ setfacl -a0 u:45:Co:fi:deny . $ setfacl -a0 u:46:Co:di:deny . $ setfacl -a0 u:47:Co:fdi:deny . $ setfacl -a0 u:48:Co:fn:deny . $ setfacl -a0 u:49:Co:dn:deny . $ setfacl -a0 u:50:Co:fdn:deny . $ setfacl -a0 u:51:Co:fni:deny . $ setfacl -a0 u:52:Co:dni:deny . $ setfacl -a0 u:53:Co:fdni:deny . $ umask 022 $ rm xxx $ touch xxx $ getfacl -nq xxx > user:53:-----------Co-:-------:deny > user:51:-----------Co-:-------:deny > user:50:-----------Co-:-------:deny > user:48:-----------Co-:-------:deny > user:47:-----------Co-:-------:deny > user:45:-----------Co-:-------:deny > user:44:-----------Co-:-------:deny > user:42:-----------Co-:-------:deny > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow $ rmdir yyy $ mkdir yyy $ getfacl -nq yyy > user:53:-----------Co-:-------:deny > user:52:-----------Co-:-------:deny > user:50:-----------Co-:-------:deny > user:49:-----------Co-:-------:deny > user:47:-----------Co-:fdi----:deny > user:47:-----------Co-:-------:deny > user:46:-----------Co-:-di----:deny > user:46:-----------Co-:-------:deny > user:45:-----------Co-:f-i----:deny > user:44:-----------Co-:fdi----:deny > user:44:-----------Co-:-------:deny > user:43:-----------Co-:-di----:deny > user:43:-----------Co-:-------:deny > user:42:-----------Co-:f-i----:deny > owner@:--------------:-------:deny > owner@:rwxp---A-W-Co-:-------:allow > group@:-w-p----------:-------:deny > group@:r-x-----------:-------:allow > everyone@:-w-p---A-W-Co-:-------:deny > everyone@:r-x---a-R-c--s:-------:allow $ rmdir yyy $ rm xxx $ cd .. $ rmdir ddd $ rm xxx