+((TESTNUM++))
+touch "${TARGET}"
+chmod 644 "${TARGET}"
+setfacl -d -m group:${USERS[0]}:rwx "${TESTDIR}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rw-
+group::r--
+group:${USERS[0]}:rwx #effective:rw-
+mask::rw-
+other::r--
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# Same test as before except with a directory.
+((TESTNUM++))
+setfacl -d -m group:${USERS[0]}:rwx "${TESTDIR}"
+mkdir "${TARGET}"
+chmod 755 "${TARGET}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+group::r-x
+group:${USERS[0]}:rwx
+mask::rwx
+other::r-x
+default:user::rwx
+default:group::r-x
+default:group:${USERS[0]}:rwx
+default:mask::rwx
+default:other::r-x
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# With no default, things are left alone.
+((TESTNUM++))
+touch "${TARGET}"
+chmod 744 "${TARGET}"
+$BIN "${TARGET}"
+
+
+EXPECTED=$(cat <<EOF
+user::rwx
+group::r--
+other::r--
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+
+# Since the default ACL will grant r-x to group/other, they will wind
+# up with it.
+((TESTNUM++))
+touch "${TARGET}"
+chmod 744 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+$BIN "${TARGET}"
+
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# Some named entries can be granted execute permissions as the result
+# of reapplication.
+((TESTNUM++))
+touch "${TARGET}"
+chmod 744 "${TARGET}"
+setfacl -m user:${USERS[1]}:rw "${TARGET}"
+# If we don't add 'x' to the mask here, nobody can execute the file.
+# setfacl will update the mask for us under most circumstances, but
+# note that we didn't create an entry with an 'x' bit using setfacl --
+# therefore, setfacl won't unmask 'x' for us.
+setfacl -m mask::rwx "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+setfacl -d -m user:${USERS[1]}:rwx "${TESTDIR}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+user:${USERS[1]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# We should not retain any entries that aren't in the default.
+((TESTNUM++))
+touch "${TARGET}"
+chmod 644 "${TARGET}"
+setfacl -m user:${USERS[1]}:rw "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rw-
+user:${USERS[0]}:rwx #effective:rw-
+group::r--
+mask::rw-
+other::r--
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# A slightly modified version of the first test, to make sure it works.
+((TESTNUM++))
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 777 "${TARGET}"
+setfacl -d -m user::r-- "${TESTDIR}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::r--
+group::r-x
+other::r-x
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# If the default ACL mask denies execute, we should respect that
+# regardless of the existing execute permissions.
+((TESTNUM++))
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 777 "${TARGET}"
+setfacl -m user:${USERS[0]}:rwx "${TESTDIR}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+setfacl -d -m mask::rw- "${TESTDIR}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx #effective:rw-
+group::r-x #effective:r--
+mask::rw-
+other::r-x
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+
+# The --recursive mode should work normally if the argument is a
+# normal file. See the first test.
+((TESTNUM++))
+TARGET="${TESTDIR}"/foo
+setfacl -d -m user::r-- "${TESTDIR}"
+setfacl -d -m group::r-- "${TESTDIR}"
+setfacl -d -m other::r-- "${TESTDIR}"
+touch "${TARGET}"
+chmod 777 "${TARGET}"
+$BIN --recursive "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::r--
+group::r--
+other::r--
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# The --recursive mode should work recursively.
+((TESTNUM++))
+TARGET="${TESTDIR}"/foo
+mkdir -p "${TARGET}"
+touch "${TARGET}"/baz
+mkdir -p "${TARGET}"/bar
+touch "${TARGET}"/bar/quux
+setfacl -d -m user::rwx "${TESTDIR}"
+setfacl -d -m group::r-- "${TESTDIR}"
+setfacl -d -m other::r-- "${TESTDIR}"
+chmod -R 777 "${TARGET}"
+$BIN --recursive "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+group::r--
+other::r--
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}"/bar/quux)
+compare
+
+
+# The --recursive mode should work recursively. This time
+# check a directory, and pass the short command-line flag.
+((TESTNUM++))
+TARGET="${TESTDIR}"/foo
+mkdir -p "${TARGET}"
+touch "${TARGET}"/baz
+mkdir -p "${TARGET}"/bar
+touch "${TARGET}"/bar/quux
+setfacl -d -m user::rwx "${TESTDIR}"
+setfacl -d -m group::r-- "${TESTDIR}"
+setfacl -d -m other::r-- "${TESTDIR}"
+chmod -R 777 "${TARGET}"
+$BIN -r "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+group::r--
+other::r--
+default:user::rwx
+default:group::r--
+default:other::r--
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}"/bar)
+compare
+
+
+# Test double application on a directory.
+#
+((TESTNUM++))
+TARGET="${TESTDIR}"/baz
+mkdir "${TARGET}"
+chmod 644 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+
+$BIN "${TARGET}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+default:user::rwx
+default:user:${USERS[0]}:rwx
+default:group::r-x
+default:mask::rwx
+default:other::r-x
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# Same as previous test, with 755 initial perms.
+#
+((TESTNUM++))
+TARGET="${TESTDIR}"/baz
+mkdir "${TARGET}"
+chmod 755 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+
+$BIN "${TARGET}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+default:user::rwx
+default:user:${USERS[0]}:rwx
+default:group::r-x
+default:mask::rwx
+default:other::r-x
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# Same as previous two tests, only with a file.
+#
+((TESTNUM++))
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 644 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+
+$BIN "${TARGET}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rw-
+user:${USERS[0]}:rwx #effective:rw-
+group::r--
+mask::rw-
+other::r--
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# User-executable files should not wind up exec-masked.
+((TESTNUM++))
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 700 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# Group-executable files should not wind up exec-masked.
+((TESTNUM++))
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 670 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# Other-executable files should not wind up exec-masked.
+((TESTNUM++))
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 607 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+
+
+# Make sure a mask with an execute bit doesn't count as being
+# executable.
+#
+((TESTNUM++))
+TARGET="${TESTDIR}"/foo