前情提要

Linux 只启用 DAC 的话，通常指的是 UGO 和 ACL 扩展
https://hu60.cn/q.php/bbs.topic.105330.html

man acl 中有一个 算法。在未启用 MAC 的 Linux 上，使用该算法就可以确定用户对文件是否有 rwx 权限了，对吗？

ACCESS CHECK ALGORITHM
       A process may request read, write, or execute/search access to a file object protected by an ACL. The access check algorithm  determines
       whether access to the object will be granted.

       1.   If the effective user ID of the process matches the user ID of the file object owner, then

                  if the ACL_USER_OBJ entry contains the requested permissions, access is granted,

                  else access is denied.

       2.   else if the effective user ID of the process matches the qualifier of any entry of type ACL_USER, then

                  if the matching ACL_USER entry and the ACL_MASK entry contain the requested permissions, access is granted,

                  else access is denied.

       3.   else  if  the  effective group ID or any of the supplementary group IDs of the process match the file group or the qualifier of any
            entry of type ACL_GROUP, then

                  if the ACL contains an ACL_MASK entry, then

                        if the ACL_MASK entry and any of the matching ACL_GROUP_OBJ or ACL_GROUP entries contain the requested permissions, ac‐
                        cess is granted,

                        else access is denied.

                  else (note that there can be no ACL_GROUP entries without an ACL_MASK entry)

                        if the ACL_GROUP_OBJ entry contains the requested permissions, access is granted,

                        else access is denied.

       4.   else if the ACL_OTHER entry contains the requested permissions, access is granted.

       5.   else access is denied.