I will make "negative" state if I revoke DefACL without prior grant?
Not really following the whole thread but figured I'm comment on this point that confused me in the past as well.
Not sure if this is what you mean but there is no concept of "negative state" in the permissions system. Everything starts out with no permissions. Grant adds permissions and revoke un-adds granted permissions. Revoking something that doesn't exist is either a no-op or a warning depending on the context - either way its doesn't setup a "forbidden" state for the permission.
Revoking/granting on default ACLs never affects already existing objects.
