Default ACL execute permission inheritance

["Daniel J. Mastrian" <djm2@andrew.cmu.edu>]

I've searched through the Linux-XFS mailing list archives, searched through 
google, and even skimmed the IEEE Posix 1003.1e draft standard, and perhaps 
I'm just dense, but I haven't found a sufficient answer to this question 
about ACLs (in general...although in this case I am using XFS on Linux)

I want the user and group who owns /foo to have rw- for all files, and rwx 
for all directories.  I want user apache to have r-- for all files, and r-x 
for all directories.  Everyone else should have --- (although I want to 
leave the option open to give a specific user write access later on, for 
example)

So say I set /foo to have this default ACL... 
u::rwx,g::rwx,o::---,m::rwx,u:apache:r-x

Now, if I create a directory /foo/bar, bar has an access ACL and a default 
ACL identical to /foo's default ACL.  Correct, intended behavior, yay.

However, if I 'touch somefile', I get a file access ACL that is not what I 
expected...

  u::rw-,g::rwx,o::---,m::rw-,u:apache:r-x

I see two things wrong with this.  (1) ACL_GROUP_OBJ has rwx perms.  It 
should not be able to execute.  I believe someone else on this list 
mentioned that this was part of the standard, although weird.  If this is 
intended behavior, could someone please confirm it?  (2) apache has r-x 
perms, and should also not have the execute bit set.  Shouldn't the execute 
bit have been dropped by intersection with the rw-rw-rw- creation 
permissions?

I'll admit, I've never used ACLs before in Linux (or Irix), but something 
seems broken here.  That "something" is most likely me :), but I'd feel a 
lot better if someone could explain either what I'm doing wrong, or why 
this is the way it is.

Thanks so much!

========================
  Dan Mastrian
  djm2@andrew.cmu.edu
========================