* security.cc (alloc_sd): Don't apply temporary workaround for chmod

to DEF_USER_OBJ, DEF_GROUP_OBJ, and DEF_OTHER_OBJ ACEs.

winsup/cygwin/ChangeLog

@@ -1,3 +1,8 @@
+2015-02-25  Corinna Vinschen  <corinna@vinschen.de>
+
+	* security.cc (alloc_sd): Don't apply temporary workaround for chmod
+	to DEF_USER_OBJ, DEF_GROUP_OBJ, and DEF_OTHER_OBJ ACEs.
+
 2015-02-25  Corinna Vinschen  <corinna@vinschen.de>
 
 	* fhandler_tty.cc (fhandler_pty_slave::read): Having no input is not an

winsup/cygwin/security.cc

@@ -777,14 +777,19 @@ alloc_sd (path_conv &pc, uid_t uid, gid_t gid, int attribute,
 	      ace->Header.AceFlags &= ~INHERITED_ACE;
 	    }
 	  else if (uid == ILLEGAL_UID && gid == ILLEGAL_UID
-		   && ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
-	  /* FIXME: Temporary workaround for the problem that chmod does
-	     not affect the group permissions if other users and groups
-	     in the ACL have more permissions than the primary group due
-	     to the CLASS_OBJ emulation.  The temporary workaround is to
-	     disallow any secondary ACE in the ACL more permissions than
-	     the primary group when writing a new ACL via chmod. */
-	    ace->Mask &= group_allow;
+		   && ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE
+		   && ace_sid != well_known_creator_group_sid
+		   && ace_sid != well_known_creator_owner_sid
+		   && ace_sid != well_known_world_sid)
+	    {
+	      /* FIXME: Temporary workaround for the problem that chmod does
+		 not affect the group permissions if other users and groups
+		 in the ACL have more permissions than the primary group due
+		 to the CLASS_OBJ emulation.  The temporary workaround is to
+		 disallow any secondary ACE in the ACL more permissions than
+		 the primary group when writing a new ACL via chmod. */
+	      ace->Mask &= group_allow;
+	    }
 	  /* Add unrelated ACCESS_DENIED_ACE to the beginning but behind
 	     the owner_deny, ACCESS_ALLOWED_ACE to the end.  FIXME: this
 	     would break the order of the inherit-only ACEs. */