On Thu, May 02, 2019 at 05:08:14PM +0200, Andreas Grünbacher wrote: > You'll still see permissions that differ from what the filesystem > enforces, and copy-up would change that behavior. That's always true, and this issue isn't really specific to NFSv4 ACLs (or ACLs at all), it already exists with just mode bits. The client doesn't know how principals may be mapped on the server, doesn't know group membership, etc. That's the usual model, anyway. Permissions are almost entirely the server's responsibility, and we just provide a few attributes to set/get those server-side permissions. The overlayfs/NFS case is different, I think: the nfs filesystem may be just a static read-only template for a filesystem that's only ever used by clients, and for all I know maybe permissions should only be interpreted on the client side in that case. --b.
