setfacl sucks ...

List of commands:
 - mkdir T
 - setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T	## inadvertently removes "write attributes" from the file owner
 - setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T	# denied
 - chmod 755 T							# denied ... Euh? What?
 - rmdir T
 - ls -ld T

Summary: setfacl fails to reinstate 'write access' to directory (in contrast to chmod)

Diagnostics: --  request for comments (RFC)
 - setfacl should NOT remove "write attributes" from the FILE OWNER (chmod does not)
    - chmod u-w <directory> ONLY
       - removes create files/ create folders
       - removes write data/ append data
       - removes write extended attributes
       - removes delete subfolders and files from the FILE OWNER
 - setfacl should ALSO NOT remove delete, change permissions take ownership from the CREATOR OWNER (chmod does not)

Also applies to setfacl -b (and setfacl -k for the file owner)

@@ pwd # bash NOT elevated
/drv/e
@@ mkdir T
@@ setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
@@ setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
setfacl: Permission denied
@@ chmod 755 T
chmod: changing permissions of ‘T’: Permission denied
@@ rmdir T
@@ ls -ld T
ls: cannot access T: No such file or directory

-----
@@# pwd # bash elevated
/drv/e
@@# mkdir T
@@# icacls T
T Seven\Henri:(F)
  Seven\None:(RX)
  Everyone:(RX)
  CREATOR OWNER:(OI)(CI)(IO)(F)
  CREATOR GROUP:(OI)(CI)(IO)(RX)
  Everyone:(OI)(CI)(IO)(RX)

Successfully processed 1 files; Failed processing 0 files
@@# setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
@@# setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
@@# icacls T
T Seven\Henri:(F)
  Seven\None:(RX)
  Everyone:(RX)
  CREATOR OWNER:(OI)(CI)(IO)(RX,W,DC) # <=====
  CREATOR GROUP:(OI)(CI)(IO)(RX)
  Everyone:(OI)(CI)(IO)(RX)

Successfully processed 1 files; Failed processing 0 files
@@#

----- same sequence of commands, using icacls to diagnose
@@ pwd
/drv/e
@@ icacls .
. Seven\Henri:(F)
  Seven\None:(RX)
  Everyone:(RX)
  Everyone:(OI)(CI)(IO)(RX)
  CREATOR OWNER:(OI)(CI)(IO)(F)
  CREATOR GROUP:(OI)(CI)(IO)(RX)

Successfully processed 1 files; Failed processing 0 files
@@ mkdir T
@@ icacls T
T Seven\Henri:(F)
  Seven\None:(RX)
  Everyone:(RX)
  CREATOR OWNER:(OI)(CI)(IO)(F)
  CREATOR GROUP:(OI)(CI)(IO)(RX)
  Everyone:(OI)(CI)(IO)(RX)

Successfully processed 1 files; Failed processing 0 files
@@ setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
@@ icacls T
T Seven\Henri:(RX,D,WDAC,WO) # <==== Note: lost W, but failed to get WA in stead (chmod does!)
  Seven\None:(RX)
  Everyone:(RX)
  CREATOR OWNER:(OI)(CI)(IO)(RX,W,DC)
  CREATOR GROUP:(OI)(CI)(IO)(RX)
  Everyone:(OI)(CI)(IO)(RX)

Successfully processed 1 files; Failed processing 0 files
@@ setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
setfacl: Permission denied
@@

----- same sequence of commands, but now using Helge Klein's SetACL to diagnose
 - https://helgeklein.com/setacl

@@ pwd
/drv/e
@@ hk-getfacl.sh .
Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
E://.

   DACL(protected):
   Seven\Henri   full   allow   no_inheritance
   Seven\None   read_execute   allow   no_inheritance
   Everyone   read_execute   allow   no_inheritance
   Everyone   read_execute   allow   container_inherit+object_inherit+inherit_only
   CREATOR OWNER   full   allow   container_inherit+object_inherit+inherit_only
   CREATOR GROUP   read_execute   allow   container_inherit+object_inherit+inherit_only


SetACL finished successfully.
@@ mkdir T
@@ hk-getfacl.sh T
Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
E://T

   DACL(protected):
   Seven\Henri   full   allow   no_inheritance
   Seven\None   read_execute   allow   no_inheritance
   Everyone   read_execute   allow   no_inheritance
   CREATOR OWNER   full   allow   container_inherit+object_inherit+inherit_only
   CREATOR GROUP   read_execute   allow   container_inherit+object_inherit+inherit_only
   Everyone   read_execute   allow   container_inherit+object_inherit+inherit_only


SetACL finished successfully.
@@ setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
@@ hk-getfacl.sh T
Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
E://T

   DACL(protected):
   Seven\Henri   read_execute+WRITE_OWNER+WRITE_DAC+DELETE   allow   no_inheritance
   Seven\None   read_execute   allow   no_inheritance
   Everyone   read_execute   allow   no_inheritance
   CREATOR OWNER   read_execute+write+FILE_DELETE_CHILD   allow   container_inherit+object_inherit+inherit_only
   CREATOR GROUP   read_execute   allow   container_inherit+object_inherit+inherit_only
   Everyone   read_execute   allow   container_inherit+object_inherit+inherit_only
Note: Seven\Henri: lost write, but failed to get FILE_WRITE_ATTRIBUTES in stead (chmod does!)

SetACL finished successfully.
@@ setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
setfacl: Permission denied
@@

=====