.P
If the directory containing \fIpath\fR has a default ACL, the ACL on
-\fIpath\fR is replaced with that default. Symbolic links are not
-followed.
-
+\fIpath\fR is replaced with that default. Neither symbolic nor hard
+links are followed; symbolic links are ignored in all path components
+to avoid a dangerous race condition.
.P
By default, a heuristic is used to determine whether or not the
execute bit is masked on \fIpath\fR. If \fIpath\fR is not a directory,
\fIpath\fR, then the execute bit will not masked. Otherwise, it is
left alone. In effect we pretend that the \fBx\fR permission acts like
the \fBX\fR (note the case difference) permission of \fBsetfacl\fR.
-
.P
This behavior can be modified with the \fB--no-exec-mask\fR flag.
.SH OPTIONS
-
.IP \fB\-\-recursive\fR,\ \fB\-r\fR
Apply default ACLs recursively. This works top-down, so if directory
\fBfoo\fR is in another directory \fBbar\fR which has a default ACL,
then \fBbar\fR's default ACL will be applied to \fBfoo\fR before the
contents of \fBfoo\fR are processed.
-
.IP \fB\-\-no-exec-mask\fR,\ \fB\-x\fR
Apply the default ACL literally; that is, don't use a heuristic to
decide whether or not to mask the execute bit. This usually results in
projects / apply-default-acl.git / blobdiff