ACLs "Allow" Only take precedence over POSIX permissions for Files BUT Not Folders - ACLs "Deny" DO take precedence over POSIX permissions

[Hyperblue]

According to the Netatalk documentation, when LDAP is setup and a directory user has his permissions read by the netatalk server, the Folder's or File's ACLs take precedence over POSIX/Unix permissions.

Running Netatalk under MacOS Big Sur, if a directory group or directory user encounters a file or a folder on the AFP share with an ACL with a "deny" set against that group or user, but a POSIX/Unix permission of 777, the file will be invisible to the user or group, which is the expected behavior. In this instance ACLs DO take precedence over POSIX permissions.

However, if a directory group or directory user encounters a folder on the AFP share with an ACL with an "Allow" Read/Write set for that group or user, but a POSIX/Unix permission of 770, the folder will be invisible to the user or group, which is not the expected behavior. ACLs Don't take precedence over POSIX permissions.

ACLs Precedence fails for Folders, but works partially for files:
Additionally, if a directory group or directory user encounters a FOLDER on the AFP share with an ACL with an "Allow" Read/Write set for that group or user, but a POSIX/Unix permission of 774, the folder will not allow any new files to be created inside the folder, however existing files can be deleted and renamed AND new folders can be created--which is not the expected behavior. In regards to files with the ACL set for "Allow" Read/Write for that group or user and a POSIX/Unix permission of 770, the ACL take precedence and the file is readable and changeable by the network user, yet the preview for the file fails in MacOS Finder.

---

afpd 3.1.14 - Apple Filing Protocol (AFP) daemon of Netatalk

This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; either version 2 of the License, or (at your option) any later
version. Please see the file COPYING for further information and details.

afpd has been compiled with support for these features:

      AFP versions:	2.2 3.0 3.1 3.2 3.3 3.4 
     CNID backends:	dbd last tdb mysql 
  Zeroconf support:	mDNSResponder

Admin group support: Yes
Valid shell checks: Yes
EA support: ad | sys
ACL support: Yes
LDAP support: Yes
D-Bus support: Yes
Spotlight support: Yes

          afp.conf:	/usr/local/etc/afp.conf
       extmap.conf:	/usr/local/etc/extmap.conf
   state directory:	/usr/local/var/netatalk/
afp_signature.conf:	/usr/local/var/netatalk/afp_signature.conf
  afp_voluuid.conf:	/usr/local/var/netatalk/afp_voluuid.conf
   UAM search path:	/usr/local/lib/netatalk/

Server messages path: /usr/local/var/netatalk/msg/

[rdmark]

@Hyperblue Thank you for the detailed bug report! Do you have an idea how to solve this cleanly in netatalk code? We very much welcome PRs.

[Hyperblue]

@rdmark Sorry, but I do not. I wish I did.