+
+/**
+ * @brief Determine whether the given ACL's mask denies execute.
+ *
+ * @param acl
+ * The ACL whose mask we want to check.
+ *
+ * @return
+ * - @c ACL_SUCCESS - The @c acl has a mask which denies execute.
+ * - @c ACL_FAILURE - The @c acl has a mask which does not deny execute.
+ * - @c ACL_ERROR - Unexpected library error.
+ */
+int acl_execute_masked(acl_t acl) {
+
+ acl_entry_t entry;
+ int ge_result = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry);
+
+ while (ge_result == ACL_SUCCESS) {
+ acl_tag_t tag = ACL_UNDEFINED_TAG;
+
+ if (acl_get_tag_type(entry, &tag) == ACL_ERROR) {
+ perror("acl_execute_masked (acl_get_tag_type)");
+ return ACL_ERROR;
+ }
+
+ if (tag == ACL_MASK) {
+ /* This is the mask entry, get its permissions, and see if
+ execute is specified. */
+ acl_permset_t permset;
+
+ if (acl_get_permset(entry, &permset) == ACL_ERROR) {
+ perror("acl_execute_masked (acl_get_permset)");
+ return ACL_ERROR;
+ }
+
+ int gp_result = acl_get_perm(permset, ACL_EXECUTE);
+ if (gp_result == ACL_ERROR) {
+ perror("acl_execute_masked (acl_get_perm)");
+ return ACL_ERROR;
+ }
+
+ if (gp_result == ACL_FAILURE) {
+ /* No execute bit set in the mask; execute not allowed. */
+ return ACL_SUCCESS;
+ }
+ }
+
+ ge_result = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry);
+ }
+
+ return ACL_FAILURE;
+}
+
+
+
+/**
+ * @brief Determine whether @c fd is executable by anyone.
+ *
+ *
+ * This is used as part of the heuristic to determine whether or not
+ * we should mask the execute bit when inheriting an ACL. If @c fd
+ * describes a file, we check the @a effective permissions, contrary
+ * to what setfacl does.
+ *
+ * @param fd
+ * The file descriptor to check.
+ *
+ * @param sp
+ * A pointer to a stat structure for @c fd.
+ *
+ * @return
+ * - @c ACL_SUCCESS - Someone has effective execute permissions on @c fd.
+ * - @c ACL_FAILURE - Nobody can execute @c fd.
+ * - @c ACL_ERROR - Unexpected library error.
+ */
+int any_can_execute(int fd, const struct stat* sp) {
+ acl_t acl = acl_get_fd(fd);