The root directory of a newly created DCE LFS fileset has no DCE ACLs. The directory is protected only with UNIX mode bits. Files and subdirectories created in the directory inherit UNIX mode bits according to the usual file system semantics. The root directory's Object ACL, Initial Object Creation ACL, and Initial Container Creation ACL remain implicit until the dcecp acl command is used to create explicit ACLs for the directory. (See Creating Explicit (Existing) ACLs, in the topic Mode Bits for New Objects That Do Not Inherit ACLs .)
A DCE LFS fileset can include many files and directories that never have ACLs. However, this approach fails to take advantage of the enhanced security available with DCE ACLs. Therefore, it is important to use the dcecp acl command to create the Object ACL, Initial Object Creation ACL, and Initial Container Creation ACL for the root directory of a fileset before other objects are created in the directory.
For the root directory of a new DCE LFS fileset, user, group, and other all receive the UNIX r, w, and x mode bits. If the dcecp acl show command is used to view the directory's Object ACL, DCE LFS displays an implicit Object ACL that has the following entries and permissions:
{user_obj rwxcid}
{group_obj rwx-id}
{other_obj rwx-id}
If the dcecp acl show command is invoked with the -io or -ic option to view the Initial Container Creation ACL or Initial Object Creation ACL of a new root directory, DCE LFS displays an implicit Initial Creation ACL. DCE LFS constructs implicit Initial Creation ACLs for a new root directory just as it constructs implicit Initial Creation ACLs for any directory that does not have these ACLs. (See Displaying Implicit (Nonexistent) ACLs, in the topic Mode Bits for New Objects That Do Not Inherit ACLs.)