+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# If the default ACL mask denies execute, we should respect that
+# regardless of the existing execute permissions.
+TESTNUM=10
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 777 "${TARGET}"
+setfacl -m user:${USERS[0]}:rwx "${TESTDIR}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+setfacl -d -m mask::rw- "${TESTDIR}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx #effective:rw-
+group::r-x #effective:r--
+mask::rw-
+other::r-x
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+
+# The --recursive mode should work normally if the argument is a
+# normal file. See Test #1.
+TESTNUM=11
+TARGET="${TESTDIR}"/foo
+setfacl -d -m user::r-- "${TESTDIR}"
+setfacl -d -m group::r-- "${TESTDIR}"
+setfacl -d -m other::r-- "${TESTDIR}"
+touch "${TARGET}"
+chmod 777 "${TARGET}"
+$BIN --recursive "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::r--
+group::r--
+other::r--
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# The --recursive mode should work recursively.
+TESTNUM=12
+TARGET="${TESTDIR}"/foo
+mkdir -p "${TARGET}"
+touch "${TARGET}"/baz
+mkdir -p "${TARGET}"/bar
+touch "${TARGET}"/bar/quux
+setfacl -d -m user::rwx "${TESTDIR}"
+setfacl -d -m group::r-- "${TESTDIR}"
+setfacl -d -m other::r-- "${TESTDIR}"
+chmod -R 777 "${TARGET}"
+$BIN --recursive "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+group::r--
+other::r--
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}"/bar/quux)
+compare
+
+
+# The --recursive mode should work recursively. This time
+# check a directory, and pass the short command-line flag.
+TESTNUM=13
+TARGET="${TESTDIR}"/foo
+mkdir -p "${TARGET}"
+touch "${TARGET}"/baz
+mkdir -p "${TARGET}"/bar
+touch "${TARGET}"/bar/quux
+setfacl -d -m user::rwx "${TESTDIR}"
+setfacl -d -m group::r-- "${TESTDIR}"
+setfacl -d -m other::r-- "${TESTDIR}"
+chmod -R 777 "${TARGET}"
+$BIN -r "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+group::r--
+other::r--
+default:user::rwx
+default:group::r--
+default:other::r--
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}"/bar)
+compare
+
+
+# Test double application on a directory.
+#
+TESTNUM=14
+TARGET="${TESTDIR}"/baz
+mkdir "${TARGET}"
+chmod 644 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+
+$BIN "${TARGET}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+default:user::rwx
+default:user:${USERS[0]}:rwx
+default:group::r-x
+default:mask::rwx
+default:other::r-x
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# Same as previous test, with 755 initial perms.
+#
+TESTNUM=15
+TARGET="${TESTDIR}"/baz
+mkdir "${TARGET}"
+chmod 755 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+
+$BIN "${TARGET}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+default:user::rwx
+default:user:${USERS[0]}:rwx
+default:group::r-x
+default:mask::rwx
+default:other::r-x
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# Same as previous two tests, only with a file.
+#
+TESTNUM=16
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 644 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+
+$BIN "${TARGET}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rw-
+user:${USERS[0]}:rwx #effective:rw-
+group::r--
+mask::rw-
+other::r--
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# User-executable files should not wind up exec-masked.
+TESTNUM=17
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 700 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# Group-executable files should not wind up exec-masked.
+TESTNUM=18
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 670 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# Other-executable files should not wind up exec-masked.
+TESTNUM=19
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 607 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+
+# Test #16's setup repeated with the --no-exec-mask flag.
+#
+TESTNUM=20
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 644 "${TARGET}"
+# The directory allows execute for user, group, and other, so the file
+# should actually inherit them regardless of its initial mode when the
+# --no-exec-mask flag is passed.
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+
+$BIN --no-exec-mask "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+
+# Test #20 repeated recursively to make sure the flags play nice
+# together.
+TESTNUM=21
+PARENT_DIR="${TESTDIR}"/foo
+TARGET="${PARENT_DIR}"/bar
+mkdir "${PARENT_DIR}"
+touch "${TARGET}"
+chmod 644 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+
+$BIN --recursive --no-exec-mask "${PARENT_DIR}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# Make sure a mask with an execute bit doesn't count as being
+# executable.
+#
+TESTNUM=22
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 644 "${TARGET}"
+setfacl -m user::rw "${TARGET}"
+setfacl -m group::rw "${TARGET}"
+# Even though the mask has an 'x' bit, nobody can execute it.
+setfacl -m mask::rwx "${TARGET}"
+setfacl -d -m user::rwx "${TESTDIR}"
+setfacl -d -m group::rwx "${TESTDIR}"
+$BIN "${TARGET}"
+
+
+EXPECTED=$(cat <<EOF
+user::rw-
+group::rw-
+other::r--
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# Same as test #2, except we pass multiple files on the command
+# line and check the result of the first one.
+TESTNUM=23
+setfacl -d -m user::r-- "${TESTDIR}"
+setfacl -d -m group::r-- "${TESTDIR}"
+setfacl -d -m other::r-- "${TESTDIR}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+DUMMY="${TESTDIR}/dummy"
+touch "${DUMMY}"
+chmod 777 "${DUMMY}"
+touch "${TARGET}"
+chmod 777 "${TARGET}"
+$BIN "${TARGET}" "${DUMMY}"
+
+EXPECTED=$(cat <<EOF
+user::r--
+user:${USERS[0]}:rwx
+group::r--
+mask::rwx
+other::r--
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+
+# Same as the previous test with the argument order switched.
+TESTNUM=24
+setfacl -d -m user::r-- "${TESTDIR}"
+setfacl -d -m group::r-- "${TESTDIR}"
+setfacl -d -m other::r-- "${TESTDIR}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+DUMMY="${TESTDIR}/dummy"
+touch "${DUMMY}"
+chmod 777 "${DUMMY}"
+touch "${TARGET}"
+chmod 777 "${TARGET}"
+$BIN "${DUMMY}" "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::r--
+user:${USERS[0]}:rwx
+group::r--
+mask::rwx
+other::r--
+
+EOF
+)
+
+ACTUAL=$(getfacl --omit-header "${TARGET}")
+compare
+
+
+# If we call apply-default-acl on a single file that does not exist,
+# we get the expected error.
+TESTNUM=25
+ACTUAL=$( "${BIN}" test/nonexistent 2>&1 )
+ACTUAL="${ACTUAL#*: }"
+EXPECTED="test/nonexistent: No such file or directory"
+compare
+
+# Same as the previous test, but with --recursive.
+TESTNUM=26
+ACTUAL=$( "${BIN}" --recursive test/nonexistent 2>&1 )
+ACTUAL="${ACTUAL#*: }"
+EXPECTED="test/nonexistent: No such file or directory"
+compare
+
+# If we call apply-default-acl on more than one file, it should report any
+# that don't exist (but proceed to operate on the others).
+TESTNUM=27
+DUMMY1="${TESTDIR}/dummy1"
+DUMMY2="${TESTDIR}/dummy2"
+touch "${DUMMY1}" "${DUMMY2}"
+ACTUAL=$( "${BIN}" "${DUMMY1}" test/nonexistent "${DUMMY2}" 2>&1 )
+ACTUAL="${ACTUAL#*: }"
+EXPECTED="test/nonexistent: No such file or directory"
+compare
+
+
+# Ensure that symlinks are not followed.
+TESTNUM=28
+TARGET="${TESTDIR}/foo"
+LINK2TARGET="${TESTDIR}/foo-sym"
+touch "${TARGET}"
+ln -s "${TARGET#${TESTDIR}/}" "${LINK2TARGET}"
+setfacl --default --modify user:${USERS[0]}:rwx "${TESTDIR}"
+"${BIN}" "${LINK2TARGET}"
+ACTUAL=$( getfacl --omit-header "${TARGET}" )
+EXPECTED=$(cat <<EOF
+user::rw-
+group::r--
+other::r--
+
+EOF
+)
+compare
+
+
+# Ensure that symlinks are not followed in subdirectories
+# (recursively).
+TESTNUM=29
+TARGET="${TESTDIR}/bar"
+touch "${TARGET}"
+mkdir "${TESTDIR}/foo"
+LINK2TARGET="${TESTDIR}/foo/bar-sym"
+ln -s "../bar" "${LINK2TARGET}"
+setfacl --default --modify user:${USERS[0]}:rwx "${TESTDIR}/foo"
+"${BIN}" --recursive "${TESTDIR}/foo"
+ACTUAL=$( getfacl --omit-header "${TARGET}" )
+EXPECTED=$(cat <<EOF
+user::rw-
+group::r--
+other::r--
+
+EOF
+)
+compare
+
+
+# Ensure that hard links are ignored.
+TESTNUM=30
+TARGET="${TESTDIR}/foo"
+LINK2TARGET="${TESTDIR}/bar"
+touch "${TARGET}"
+ln "${TARGET}" "${LINK2TARGET}"
+setfacl --default --modify user:${USERS[0]}:rwx "${TESTDIR}"
+"${BIN}" "${LINK2TARGET}"
+ACTUAL=$( getfacl --omit-header "${TARGET}" )
+EXPECTED=$(cat <<EOF
+user::rw-
+group::r--
+other::r--
+
+EOF
+)
+compare
+
+
+# We should be able to run the tool with a relative path from within a
+# directory that contains a symlink, so long as the relative path
+# doesn't contain one.
+TESTNUM=31
+TARGET="${TESTDIR}/foo/bar"
+LINK2TARGET="${TESTDIR}/baz"
+mkdir -p $(dirname "${TARGET}")
+touch "${TARGET}"
+ln -s foo "${TESTDIR}/baz"
+setfacl --default --modify user:${USERS[0]}:rw $(dirname "${TARGET}")
+pushd "${TESTDIR}/baz" > /dev/null
+"${BIN}" bar
+popd > /dev/null
+ACTUAL=$( getfacl --omit-header "${TARGET}" )
+EXPECTED=$(cat <<EOF
+user::rw-
+user:${USERS[0]}:rw-
+group::r--
+mask::rw-
+other::r--
+
+EOF
+)
+compare
+
+
+# Ensure that symlinks in non-terminal path components are not followed.
+TESTNUM=32
+TARGET="${TESTDIR}/foo/bar/baz"
+LINK2FOO="${TESTDIR}/quux"
+mkdir -p $(dirname "${TARGET}")
+touch "${TARGET}"
+ln -s foo "${LINK2FOO}"
+setfacl --default --modify user:${USERS[0]}:rw $(dirname "${TARGET}")
+"${BIN}" "${LINK2FOO}/bar/baz"
+ACTUAL=$( getfacl --omit-header "${TARGET}" )
+EXPECTED=$(cat <<EOF
+user::rw-
+group::r--
+other::r--
+
+EOF
+)