POSIX ACL Rules

As all POSIX creation calls specify a default mode_t (created permissions) argument, then the most restrictive set of inherited and requested permissions is used on creation of a filesystem object.
When the chmod call changes group permissions, then the change is applied to the mask if the object has an ACL.
- This ensures users using non ACL-aware tools don't grant more access than they intended to users or groups with existing ACL entries.

As all POSIX creation calls specify a default mode_t (created permissions) argument, then the most restrictive set of inherited and requested permissions is used on creation of a filesystem object.