Although no permissions were removed from the ACL entry of the group class,the mask entry was modified to mask permissions not set in mode.This approach ensures the smooth interaction of applications, such as compilers,with ACLs. You can create files with restricted access permissions and subsequentlymark them as executable. The mask mechanism guarantees that the right usersand groups can execute them as desired.10.4.4 The ACL Check AlgorithmA check algorithm is applied before any process or application is granted access to anACL-protected file system object. As a basic rule, the ACL entries are examined in thefollowing sequence: owner, named user, owning group or named group, and other. Theaccess is handled in accordance with the entry that best suits the process. Permissionsdo not accumulate.Things are more complicated if a process belongs to more than one group and wouldpotentially suit several group entries. An entry is randomly selected from the suitableentries with the required permissions. It is irrelevant which of the entries triggers thefinal result “access granted”. Likewise, if none of the suitable group entries containsthe required permissions, a randomly selected entry triggers the final result “accessdenied”.10.5 ACL Support in ApplicationsACLs can be used to implement very complex permission scenarios that meet the re-quirements of modern applications. The traditional permission concept and ACLs canbe combined in a smart manner. The basic file commands (cp, mv, ls, etc.) supportACLs, as do Samba and Konqueror.Unfortunately, many editors and file managers still lack ACL support. When copyingfiles with Emacs, for instance, the ACLs of these files are lost. When modifying fileswith an editor, the ACLs of files are sometimes preserved and sometimes not, dependingon the backup mode of the editor used. If the editor writes the changes to the originalfile, the access ACL is preserved. If the editor saves the updated contents to a new filethat is subsequently renamed to the old filename, the ACLs may be lost, unless the ed-142 Security Guide