Linux – Inherit or set permissions for all new files under a specific path

Well, but your example does exactly what you want ;)

Look at the second one:

overt htdocs # setfacl -dm u:apache:rx .
overt htdocs # touch blah.txt
overt htdocs # getfacl blah.txt
# file: blah.txt
# owner: root
# group: root
user::r--
user:apache:r-x                 #effective:r--
group::r--
mask::r--
other::r--

The important line is:

user:apache:r-x #effective:r--

Even though acl is set to r-x it is effectively r-- for files. It is because of the mask.

And the mask will be always only rw- for files if the user created it with the rw- permissions for user. (I'm not 100% sure but mask cannot be less restrictive then the basic permissions).

So effectively you get r-- for files and r-x for directories.
Because created directories will have user:r-x -> mask will be r-x -> effective permission will be r-x.
For files: they will have r-- so mask will be r-- and effective permissions for ACLs will be r--, too. (If you create a file and give it a user::r-x permissions, then mask will be modified and users form acl's will get the x, too)

If cp creates the destination file, it replicates the permissions of the source file, except for the bits that are set in the umask. This is standard behavior (see e.g. step 3.b in the Single Unix v3 (POSIX 2001) specification.

Why was cp designed this way? Because there are many cases where this behavior is desirable, for example preserving a file's privacy when the original permissions are restrictive, and preserving executability is almost always the right thing to do. It is however unfortunate that not even GNU cp has an option to turn this behavior off.

Most copy tools (e.g. pax, rsync) behave in the same way. You can ensure the file will be created with the default permission by decoupling the source from the destination, for example with cat <baz >foo/baz.