Current Solaris behavior is modeled after the internet draft
http://www.ietf.org/internet-drafts/draft-ietf-nfsv4-acl-mapping-02.txt
by Marius Aamodt Eriksen and J. Bruce Fields.  There may be some changes
made before Solaris 10 is shipped, to allow for better interoperability
between Solaris and other vendors.

This document describes what the Solaris NFSv4 Server will accept for
ACLs when it must map to POSIX-draft ACLs for a UFS filesystem.

1. ACE Type (acetype4 type)

Server returns NFS4ERR_ATTRNOTSUPP if it gets an ace with one of the
following types:
    ACE4_SYSTEM_AUDIT_ACE_TYPE
    ACE4_SYSTEM_ALARM_ACE_TYPE

SUPPORTED types include:
    ACE4_ACCESS_ALLOWED_ACE_TYPE
    ACE4_ACCESS_DENIED_ACE_TYPE

2. ACE flag (aceflag4 flag)

Server returns NFS4ERR_ATTRNOTSUPP if it gets a flag with one of the
following fields set:
    ACE4_SUCCESSFUL_ACCESS_ACE_FLAG
    ACE4_FAILED_ACCESS_ACE_FLAG
    ACE4_NO_PROPAGATE_INHERIT_ACE - Current Solaris filesystem (UFS) is not
				    able to turn off default ACLs at
				    any arbitrary point in the tree.

SUPPORTED flags include:
    ACE4_INHERIT_ONLY_ACE
    ACE4_FILE_INHERIT_ACE
    ACE4_DIRECTORY_INHERIT_ACE
    ACE4_IDENTIFIER_GROUP

All three or NONE of the following can be set or the server returns
NFS4ERR_ATTRNOTSUPP:
    ACE4_FILE_INHERIT_ACE
    ACE4_DIRECTORY_INHERIT_ACE
    ACE4_INHERIT_ONLY_ACE

ACE4_IDENTIFIER_GROUP is SUPPORTED and used to tell the difference
between group and user ACEs.  When (flag & ACE4_IDENTIFIER_GROUP) = 1
'who' is a group otherwise  'who' is a user.

3. ACE Access Mask (acemask4 access_mask)

3.1 Supported and Unsupported Masks

Any mask (DENY or ALLOW) with the following set will automatically
return NFS4ERR_ATTRNOTSUPP:
    ACE4_DELETE
    ACE4_WRITE_OWNER
    ACE4_SYNCHRONIZE *

* This is incompatible with the internet draft for mapping between NFSv4
  and POSIX-draft ACLs.  The internet draft says that ACE4_SYNCHRONIZE
  should be present in all ALLOW ACEs.

Supported masks include:
    ACE4_READ_DATA
    ACE4_WRITE_DATA
    ACE4_APPEND_DATA
    ACE4_READ_NAMED_ATTRS
    ACE4_WRITE_NAMED_ATTRS
    ACE4_EXECUTE
    ACE4_READ_ATTRIBUTES
    ACE4_WRITE_ATTRIBUTES
    ACE4_READ_ACL
    ACE4_WRITE_ACL
    ACE4_DELETE_CHILD

3.2 Required Masks

ACE4_READ_ACL and ACE4_READ_ATTRIBUTES must be set on all ALLOW ACEs.

Additionally, if the "who" field is "OWNER@", ACE4_WRITE_ACL and
ACE4_WRITE_ATTRIBUTES must be set on ALLOW ACEs.  Neither
ACE4_WRITE_ACL nor ACE4_WRITE_ATTRIBUTES may be present in an ALLOW ACE
with a "who" field other than "OWNER@",

Failure to meet these requirements will result in the server returning
NFS4ERR_ATTRNOTSUPP.

3.3 Supported Combinations of Masks

Please be reminded that the following flags are equal.  One defines
flags files the other defines flags for directories.

ACE4_READ_DATA = ACE4_LIST_DIRECTORY
ACE4_WRITE_DATA = ACE4_ADD_FILE
ACE4_APPEND_DATA = ACE4_ADD_SUBDIRECTORY

The following tables define which combinations of access mask flags are
supported and which are not.

3.3.1 ACE4_READ_NAMED_ATTRS, ACE4_READ_ATTRIBUTES and ACE4_READ_DATA

In the table below,

A = ACE4_READ_ATTRIBUTES
N = ACE4_READ_NAMED_ATTRS
D = ACE4_READ_DATA

The values that are given represent the presence or absence of the mask in an ALLOW ACE.

		D = 0                    D = 1
---------------------------------------------------------------
N = 0 / A = 0   NFS4ERR_ATTRNOTSUPP (1)  NFS4ERR_ATTRNOTSUPP (2)
---------------------------------------------------------------
N = 0 / A = 1   SUPPORTED (3)            NFS4ERR_ATTRNOTSUPP (4)
---------------------------------------------------------------
N = 1 / A = 0   NFS4ERR_ATTRNOTSUPP (4)  NFS4ERR_ATTRNOTSUPP (1)
---------------------------------------------------------------
N = 1 / A = 1   NFS4ERR_ATTRNOTSUPP (4)  SUPPORTED

(1) This is not supported because ACE4_READ_ATTRIBUTES is false and as
    the I-D says, every ACE must have ACE4_READ_ATTRIBUTES and
    ACE4_READ_ACL set.
(2) In UNIX/POSIX there is no way to enforce this.  You can't not have
    read permissions on the attributes of a file, but have read permissions
    on the data.
(3) An example of this is that a regular user doesn't have read
    permissions on /etc/shadow, but ls -l still works.
(4) In Solaris UFS, the authority to read named attributes is the same
    as the authority to read the file data.

In summary, these combinations are SUPPORTED:
    ACE4_READ_NAMED_ATTRS=0
    ACE4_READ_ATTRIBUTES=1
    ACE4_READ_DATA=0

and

    ACE4_READ_NAMED_ATTRS=1
    ACE4_READ_ATTRIBUTES=1
    ACE4_READ_DATA=1

Any other combination of these three masks will fail with NFS4ERR_ATTRNOTSUPP.

3.3.2 ACE4_WRITE_DATA and ACE4_APPEND_DATA

These two masks must always be ALLOWED together or DENIED together.
Any mis-match will fail with NFS4ERR_ATTRNOTSUPP.

3.3.3 ACE4_WRITE_NAMED_ATTRS, ACE4_WRITE_ATTRIBUTES and ACE4_WRITE_DATA

In the table below,
A = ACE4_WRITE_ATTRIBUTES
N = ACE4_WRITE_NAMED_ATTRS
D = ACE4_WRITE_DATA

The values that are given represent the presence or absence of the mask
in an ALLOW ACE.

		D = 0                      D = 1
--------------------------------------------------------------
N = 0 / A = 0   if who == "OWNER@"    (1)  NFS4ERR_ATTRNOTSUPP (1,2)
                  NFS4ERR_ATTRNOTSUPP
                else SUPPORTED
--------------------------------------------------------------
N = 0 / A = 1   if who == "OWNER@" (3)     NFS4ERR_ATTRNOTSUPP (2,3)
                  SUPPORTED
                else NFS4ERR_ATTRNOTSUPP
--------------------------------------------------------------
N = 1 / A = 0   NFS4ERR_ATTRNOTSUPP (2)    if who == "OWNER@"  (1)
					     NFS4ERR_ATTRNOTSUPP
					   else SUPPORTED
--------------------------------------------------------------
N = 1 / A = 1   NFS4ERR_ATTRNOTSUPP (2)    if who == "OWNER@"  (3)
					     SUPPORTED
					   else NFS4ERR_ATTRNOTSUPP

(1) The owner of the file cannot be denied the ability to write basic
    attributes.
(2) In Solaris UFS, the authority to write named attributes is the same
    as the authority to write the file data.
(3) The ability to write basic attributes cannot be given to any users
    (or groups) besides the owner of the file.

3.4 Converting masks into POSIX mode bits

If an ALLOW ACE contains ACE4_READ_DATA and ACE4_READ_NAMED_ATTRS, we
set the read bit (04).

If an ALLOW ACE contains ACE4_WRITE_DATA, ACE4_APPEND_DATA, and
ACE4_WRITE_NAMED_ATTRS, we set the write bit (02).  If the object is a
directory, we also require ACE4_DELETE_CHILD.

If an ALLOW ACE contains ACE4_EXECUTE, we set the execute bit (01).

4. ACE who (utf8string who)

Return NFS4ERR_ATTRNOTSUPP if we get an ACE with any of the following who values:
    "INTERACTIVE@"
    "NETWORK@"
    "DIALUP@"
    "BATCH@"
    "ANONYMOUS@"
    "AUTHENTICATED@"
    "SERVICE@"

Supported special identifiers for the ACE who field:
    "OWNER@"
    "GROUP@"
    "EVERYONE@"

5. ACE ordering

ACEs must be received in an order compatible with the document
"draft-ietf-nfsv4-acl-mapping-02.txt".  An ACL containing ACEs in an
incompatible order will result in the server returning
NFS4ERR_ATTRNOTSUPP.

It is also required that the masks on the ALLOW ACEs and the DENY ACEs
be complimentary with respect to the supported masks, which are listed
earlier in this document.  An exception would be that an ACL applied to
something other than a directory should not have ACE4_DELETE_CHILD on
either its ALLOW ACEs nor its DENY ACEs.