I'm probably missing something glaringly obvious..... but I can't see it.
I have an ordinary directory on FreeBSD, controlled by NFSv4 ACLs. The ACLs say I can list its contents; but I can't.
Here's the getfacl output on the problem dir and its parent + grandparent:
# getfacl /mnt/data_dir/working_dir/ # owner: root # group: wheel group:data_managers:-w-pDd--------:-------:deny everyone@:r-------------:-------:allow group:data_managers:rwxpDda-R-c---:fd-----:allow owner@:--------------:fd-----:allow group@:--------------:fd-----:allow everyone@:--x-----------:-d-----:allow # file: /mnt/data_dir # owner: root # group: wheel owner@:rwxpDdaARWcCos:fd-----:allow group@:rwxpDdaARWcCos:fd-----:allow everyone@:r-x---a-R-c---:fd-----:allow # file: /mnt # owner: root # group: wheel user::rwx group::r-x other::r-x I login as su -f restricted_user (anas the newly created account I'm having the ACL issue with). It'sThis account is not the owner of any of therelevant dirs, nor a member of wheel or data_managers, so its only rights stem from the "everyone (world)" permissions/ACLs.
$ su -f restricted_user % id uid=1100(restricted_user) gid=65533(nogroup) groups=65533(nogroup),4003(restricted_users) % pwd /mnt/data_dir/working_dir % ls ls: .: Permission denied I don't get it. The world permission on that dir is everyone@:r ..... (inheritance downward to subdirs for "x" but not "r"). r should give worldwide rights to read the contents of working_dir. It's not a member of data_managers and if it was, the deny ACE isn't denying r or x. I can traverse to it. But I can't read its contents.
What have I missed?