From cc70635c0da7977b36b5dee4904c34f15f118106 Mon Sep 17 00:00:00 2001
From: Corinna Vinschen <corinna@vinschen.de>
Date: Wed, 25 Feb 2015 17:18:13 +0000
Subject: [PATCH] 	* security.cc (alloc_sd): Don't apply temporary
 workaround for chmod 	to DEF_USER_OBJ, DEF_GROUP_OBJ, and DEF_OTHER_OBJ
 ACEs.

---
 winsup/cygwin/ChangeLog   |  5 +++++
 winsup/cygwin/security.cc | 21 +++++++++++++--------
 2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index 8c80f97e3..4b3f7de74 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,3 +1,8 @@
+2015-02-25  Corinna Vinschen  <corinna@vinschen.de>
+
+	* security.cc (alloc_sd): Don't apply temporary workaround for chmod
+	to DEF_USER_OBJ, DEF_GROUP_OBJ, and DEF_OTHER_OBJ ACEs.
+
 2015-02-25  Corinna Vinschen  <corinna@vinschen.de>
 
 	* fhandler_tty.cc (fhandler_pty_slave::read): Having no input is not an
diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc
index 929e8a32e..9c94c7053 100644
--- a/winsup/cygwin/security.cc
+++ b/winsup/cygwin/security.cc
@@ -777,14 +777,19 @@ alloc_sd (path_conv &pc, uid_t uid, gid_t gid, int attribute,
 	      ace->Header.AceFlags &= ~INHERITED_ACE;
 	    }
 	  else if (uid == ILLEGAL_UID && gid == ILLEGAL_UID
-		   && ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
-	  /* FIXME: Temporary workaround for the problem that chmod does
-	     not affect the group permissions if other users and groups
-	     in the ACL have more permissions than the primary group due
-	     to the CLASS_OBJ emulation.  The temporary workaround is to
-	     disallow any secondary ACE in the ACL more permissions than
-	     the primary group when writing a new ACL via chmod. */
-	    ace->Mask &= group_allow;
+		   && ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE
+		   && ace_sid != well_known_creator_group_sid
+		   && ace_sid != well_known_creator_owner_sid
+		   && ace_sid != well_known_world_sid)
+	    {
+	      /* FIXME: Temporary workaround for the problem that chmod does
+		 not affect the group permissions if other users and groups
+		 in the ACL have more permissions than the primary group due
+		 to the CLASS_OBJ emulation.  The temporary workaround is to
+		 disallow any secondary ACE in the ACL more permissions than
+		 the primary group when writing a new ACL via chmod. */
+	      ace->Mask &= group_allow;
+	    }
 	  /* Add unrelated ACCESS_DENIED_ACE to the beginning but behind
 	     the owner_deny, ACCESS_ALLOWED_ACE to the end.  FIXME: this
 	     would break the order of the inherit-only ACEs. */