Creating an NFSv4 ACL with an entry that denies ACL_READ_ATTRIBUTES ought to deny the user the ability to stat the file. On ZFS, it does. But on UFS, it has no effect. Steps to Reproduce: #! /bin/sh truncate -s 1g /tmp/ufs.img MD=`mdconfig -a -t vnode -f /tmp/ufs.img` newfs $MD tunefs -N enable /dev/$MD sudo mount /dev/$MD /mnt cd /mnt touch foo setfacl -a 0 user:nobody:------a-------:-------:deny foo sudo -u nobody stat $FILE >/dev/null 2>&1 if [ $? -eq 0 ]; then echo -e "ERROR: user nobody can stat the file, despite being denied by ACL" fi cd / umount /mnt mdconfig -d -u $MD