Faking it: step 2: relaxed NFSv4->POSIX mapping

Requirements:
  1. Server should accept (almost) any NFSv4 ACL.
  2. "If a server receives a SETATTR request that it cannot accurately implement, it should error in the direction of more restricted access."
Algorithm outline:
  1. Process the NFSv4 ACL as the file owner, find the minimum permissions it must grant that owner.
  2. Repeat for each named user.
  3. Repeat for a hypothetical member of the owning group that isn't the file owner or one of the named users.
  4. Repeat similarly for each named group.
  5. Repeat for a user not the file owner or any named user, and not a member of the file group or any named group.
  6. Assemble resulting permissions into a POSIX ACL.
Result: Also: What have we learned?