shared/acl-util: add mask only when needed, always add base ACLs

For ACLs to be valid, a set of entries for user, group, and other
must be always present. Always add those entries.

While at it, only add the mask ACL if it is actually required, i.e.
when at least on ACL for non-owner group or user exists.

1 files changed, 10 insertions, 10 deletions

diff --git a/man/tmpfiles.d.xml b/man/tmpfiles.d.xml
index 957910dd6..8815bf997 100644
--- a/man/tmpfiles.d.xml
+++ b/man/tmpfiles.d.xml
@@ -306,16 +306,16 @@
           <term><varname>a</varname></term>
           <term><varname>a+</varname></term>
           <listitem><para>Set POSIX ACLs (access control lists). If
-          suffixed with <varname>+</varname>, specified mask will be
-          added to existing
-          entries. <command>systemd-tmpfiles</command> does not
-          automatically add the required base entries for user and
-          group to the specified mask, so they must be specified
-          explicitly if <varname>+</varname> is not used. The
-          mask will be added if not specified explicitly.
-          Lines of this type accept shell-style globs in place
-          of normal path names. This can be useful for allowing
-          additional access to certain files.  </para></listitem>
+          suffixed with <varname>+</varname>, specified entries will
+          be added to the existing set.
+          <command>systemd-tmpfiles</command> will automatically add
+          the required base entries for user and group based on the
+          access mode of the file, unless base entries already exist
+          or are explictly specified. The mask will be added if not
+          specified explicitly or already present. Lines of this type
+          accept shell-style globs in place of normal path names. This
+          can be useful for allowing additional access to certain
+          files.</para></listitem>
         </varlistentry>
 
         <varlistentry>