I ran across an interesting question in a sample exam for the RHCSA:
Configure 4 useres, linus, richard, mark, and bill. Deny bill and richard access to the /cooks directory. Allow access to all other users.
Now, because that did not read “allow access to all the other users”, or “allow access to the others users mentioned in this sentence” I took it to mean all other system users. That presents a problem, how do I allow everyone on the system but only deny two users? This doesn’t work:
[root@outsider2 /]# setfacl -m u:richard: cooks setfacl: Option -m incomplete
Instead you can do this:
[root@outsider2 /]# setfacl -m u:richard:0 cooks
Now looking at the ACL:
[root@outsider2 /]# getfacl cooks # file: cooks # owner: root # group: root user::rwx user:richard:--- user:bill:--- group::rwx mask::rwx other::rwx
And the directory listing looks as such:
[root@outsider2 /]# ls -ld cooks drwxrwxrwx+ 3 root root 1024 Nov 3 18:48 cooks
Nifty! An implicit deny using file ACLs.
I think I read too much into the question, but peak my curiosity and I have to figure it out.