You can change the mask with the following command:

setfacl -m m:rwx filename/directory 

If I understand well your question, user ola is creating files in directory: /omega/olabooktmp/gettaxi

and you want to restrict access to thoses files, but granting access to user uber.

Note: /omega/olabooktmp/gettaxi is owned by ola

Lets start without ACL yet:

ls -ld /omega/olabooktmp/gettaxi drwxr-x--- 2 ola ola 4096 mars 21 08:16 /omega/olabooktmp/gettaxi 

In order to grant rwx permission to uber using ACL you can use:

setfacl -m u:uber:rwx,d:u:uber:rwX,o:--- /omega/olabooktmp/gettaxi 

Which will allow user uber rights rwx on folder /omega/olabooktmp/gettaxi, and also grant rwx as default the d: and X. It grants permission on files previously presents in the folder and give inherited grants to file. And also remove other all permission to other for restriction, of course. Owner still have its own permission.

The result:

getfacl /omega/olabooktmp/gettaxi getfacl: Removing leading '/' from absolute path names # file: omega/olabooktmp/gettaxi # owner: ola # group: ola user::rwx user:uber:rwx group::r-x mask::rwx other::--- default:user::rwx default:user:uber:rwx default:group::r-x default:mask::rwx default:other::--- 

Testing:

ola creates some files (run as root):

su - ola -c "for i in {1..3}; do date > /omega/olabooktmp/gettaxi/$RANDOM; done" 

Result:

ls -l /omega/olabooktmp/gettaxi/ total 32 -rw-r----- 1 ola users 32 mars 21 08:43 17606 -rw-r----- 1 ola users 32 mars 21 08:43 22286 -rw-r----- 1 ola users 32 mars 21 08:42 31484 -rw-r----- 1 ola users 32 mars 21 08:43 31848 -rw-r----- 1 ola users 32 mars 21 08:42 667 -rw-r----- 1 ola users 4 mars 21 08:16 one -rw-r----- 1 ola users 6 mars 21 08:16 three -rw-r----- 1 ola users 4 mars 21 08:16 two 

Can't be accessed by a normal user (run as root):

su - debian -c "ls -l /omega/olabooktmp/gettaxi" ls: cannot open directory '/omega/olabooktmp/gettaxi': Permission denied 

But uber can (run as root):

su - uber -c "ls -l /omega/olabooktmp/gettaxi" total 32 -rw-r----- 1 ola users 32 Mar 21 08:43 17606 -rw-r----- 1 ola users 32 Mar 21 08:43 22286 -rw-r----- 1 ola users 32 Mar 21 08:42 31484 -rw-r----- 1 ola users 32 Mar 21 08:43 31848 -rw-r----- 1 ola users 32 Mar 21 08:42 667 -rw-r----- 1 ola users 4 Mar 21 08:16 one -rw-r----- 1 ola users 6 Mar 21 08:16 three -rw-r----- 1 ola users 4 Mar 21 08:16 two 

If you mangle your ACL with some tests, you can remove all acl with:

setfacl -R -b /omega/olabooktmp/gettaxi 

And start again.

Yes the mask is lowering the permissions. The effective permission is the and of a permission and the mask. (user:: (the owning user), and other are not affected by the mask).

You can change the mask with: e.g. setfacl -m m:r-x file-name.

When you do an ls -l, if the mode ends with a +, then the middle mode bits (traditionally the group bits), are the mask.

Sometimes the mode bits are set according to the group bits in umask. I have not yet worked out the rules, as to when this happens, and when the default mask is used. Using cp to copy a file, seems to use the umask.

A workaround

Ensure that users have there own group, and that this is set to the default group. Then set the umask to 007.

I suspect the behavior is a bug. I posted on this last month (see unix.stackexchange.com/questions/570795). What is happening is that the file permissions on the source file are being copied into the acl mask by the cp command. This is what I would have expected for cp -p, not cp. I found that I can do copies by using cat

cat afile > bfile 

or by piping through tar

(cd A; tar -cf -)|(cd B; tar-xf -)

And the acls are respected as expected.

I also put up a bounty to have this cp behavior explained. No one explained it. I'm thinking of filing a bug report. I.e. that this should be the ´cp -p´ behavior, not the vanilla cp behavior. (And the system deducted the bounty points even though no one could provide an answer. I was surprised by that also.)