scp and POSIX ACLs
scp doesn’t play well with POSIX filesystem ACLs, and as far as I can tell there’s nothing to be done about it.
The problem is that the server side explicitly calls
open(2) with the mode of the file on the client side in all cases. Since the file’s group permissions are linked to the mask ACL, this means that — for a mode 644 file — the file gets set
mask::r-- instead of inheriting the default mask from the directory.
In my opinion, the correct way to do it would be to create the file without an explicit mode unless the -p command line option was used. In fact, I would have thought that was the point of the -p flag.
This issue isn’t exclusive to ACLs, really. It seems like it would cause problems with standard unix permissions as well. Anyway, the only way around it seems to be changing the mode on the client side prior to the scp. bummer.
Note: I determined this by examining the version of OpenSSH distributed with Ubuntu Lucid, which is 5.3p1. Please let me know if you’ve had a different experience.