Access Control List on Linux

Linux上的ACL基本基于IEEE 1003.1e draft 17实现，但该草案从未成为标准既已夭折，所以各NIX的实现有不同程度出入，发展前景很灰暗。在Linux平台上，ACL实现在内核与用户空间之间的层，所以需要应用程序的广泛支持，其更倾向于社会工程学的意义而非技术层面。

setfacl的m、x参数并非绝对对称操作：m改变ACL元，而x用以删除ACL元。前者包括“变更”和“添加”两层含义，后者仅有“删除”含义。应注意setfacl手册中对x操作的两点说明：

1. The -x (--remove) and -X (--remove-file) options remove ACL enries. Only ACL entries without the perms field are accepted as parameters, unless POSIXLY_CORRECT is defined.

2. AUTOMATICALLY CREATED ENTRIES
   Initially, files and directories contain only the three base ACL entries for the owner, the group, and others. There are some rules that need to be satisfied in order for an ACL to be valid:
   1) The three base entries cannot be removed. There must be exactly one entry of each of these base entry types.

第二条就是说对ACL元user::、group::、other::不能用x参数。