By the way, here is what I want to use ACLs for:
A collection of web services like wiki servers, each running as a separate UNIX user.
Different sets of files, read/write to different subsets of users, and read-only to still different subsets.
I have done similar stuff using groups. Using a distinct group per read/write group of files, and letting the files be world readable. Obviously falls a bit short, and results in a proliferation of groups. Typically overflowing the usual UNIX limit of 14 groups. Used wash and other tools to sawp groups in and out. (Does DH have such tools? Haven’t checked.)
I have done similar stuff using setuid. But I really dislike setuid.
I have done similar stuff using setgid, to further restrict which programs can access the data.
I rather dislike setgid, because both setuid and setgid require me to write validation code. Which amounts to following an ACL.