ACL Entry Types for Masks
Masks in ACL entries establish maximum permissions that can be granted to a principal. There are two masks: the mask_obj mask and the unauthenticated mask. Only permissions given in an ACL entry and the mask are granted. For example, if the ACL entry specifies rwx permissions and the mask specifies only the x permission, the permissions are ANDed with the mask, and only the x permission is granted.
The mask_obj mask, if it exists, applies to all entry types except user_obj and other_obj. The unauthenticated mask is applied to all unauthenticated principals. As the ACL manager derives the permissions from the ACL entries, it filters each one through the mask_obj mask (if one exists), and finally through the unauthenticated mask. The manager grants only those permissions that are in the first matching entry, the mask_obj mask, and the unauthenticated mask.
Note: If you do not create an unauthenticated mask, unauthenticated principals are denied all access to objects. If a user is unauthenticated because that user has no DCE credentials, then the only entry that the user matches is the any_other entry type, which is then masked by the unauthenticated mask. This means that, for such unauthenticated users to have any access to an object, the object's ACL must contain an any_other type entry and an unauthenticated mask entry.
An example of mask usage follows. For a particular object, there are a great number of ACL entries specifying rw access to that object. You need to restrict the access to read-only, temporarily, but do not want to change all the ACL entries. Simply creating a mask_obj mask of r, and then removing it when you are done, provides the temporary restriction.