+int any_can_execute(const char* path) {
+ acl_t acl = acl_get_file(path, ACL_TYPE_ACCESS);
+
+ if (acl_is_minimal(&acl)) {
+ mode_t mode = get_mode(path);
+ if (mode & (S_IXUSR | S_IXOTH | S_IXGRP)) {
+ return 1;
+ }
+ else {
+ return 0;
+ }
+ }
+
+ if (acl == (acl_t)NULL) {
+ return 0;
+ }
+
+ acl_entry_t entry;
+ int result = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry);
+
+ while (result == 1) {
+ acl_permset_t permset;
+
+ int ps_result = acl_get_permset(entry, &permset);
+ if (ps_result == -1) {
+ perror("any_can_execute (acl_get_permset)");
+ return -1;
+ }
+
+ int gp_result = acl_get_perm(permset, ACL_EXECUTE);
+ if (gp_result == -1) {
+ perror("any_can_execute (acl_get_perm)");
+ return -1;
+ }
+
+ if (gp_result == 1) {
+ return 1;
+ }
+
+ result = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry);
+ }
+
+ if (result == -1) {
+ perror("any_can_execute (acl_get_entry)");
+ return -1;
+ }
+
+ return 0;
+}
+
+
+int reapply_default_acl_ng(const char* path) {
+ /* Really reapply the default ACL by looping through it. Returns one
+ for success, zero for failure (i.e. no ACL), and -1 on unexpected
+ errors. */
+ if (path == NULL) {
+ return 0;
+ }
+
+ if (!is_regular_file(path) && !is_directory(path)) {
+ return 0;
+ }
+
+ /* dirname mangles its argument */
+ char path_copy[PATH_MAX];
+ strncpy(path_copy, path, PATH_MAX-1);
+ path_copy[PATH_MAX-1] = 0;
+
+ char* parent = dirname(path_copy);
+ if (!is_directory(parent)) {
+ /* Make sure dirname() did what we think it did. */
+ return 0;
+ }
+
+ int ace_result = any_can_execute(path);
+ if (ace_result == -1) {
+ perror("reapply_default_acl_ng (any_can_execute)");
+ return -1;
+ }
+
+ bool allow_exec = (bool)ace_result;
+
+ acl_t defacl = acl_get_file(parent, ACL_TYPE_DEFAULT);
+ acl_t acl = acl_get_file(path, ACL_TYPE_ACCESS);
+
+ if (defacl == (acl_t)NULL || acl == (acl_t)NULL) {
+ return 0;
+ }
+
+ acl_entry_t entry;
+ int result = acl_get_entry(defacl, ACL_FIRST_ENTRY, &entry);
+
+ while (result == 1) {
+ acl_tag_t tag = ACL_UNDEFINED_TAG;
+ int tag_result = acl_get_tag_type(entry, &tag);
+
+ if (tag_result == -1) {
+ perror("has_default_tag_acl (acl_get_tag_type)");
+ return -1;
+ }
+
+
+ /* We've got an entry/tag from the default ACL. Get its permset. */
+ acl_permset_t permset;
+ int ps_result = acl_get_permset(entry, &permset);
+ if (ps_result == -1) {
+ perror("reapply_default_acl_ng (acl_get_permset)");
+ return -1;
+ }
+
+ /* If this is a default mask, fix it up. */
+ if (tag == ACL_MASK ||
+ tag == ACL_USER_OBJ ||
+ tag == ACL_GROUP_OBJ ||
+ tag == ACL_OTHER) {
+ if (!allow_exec) {
+ /* The mask doesn't affect acl_user_obj, acl_group_obj (in
+ minimal ACLs) or acl_other entries, so if execute should be
+ masked, we have to do it manually. */
+ int d_result = acl_delete_perm(permset, ACL_EXECUTE);
+ if (d_result == -1) {
+ perror("reapply_default_acl_ng (acl_delete_perm)");
+ return -1;
+ }
+
+ int sp_result = acl_set_permset(entry, permset);
+ if (sp_result == -1) {
+ perror("reapply_default_acl_ng (acl_set_permset)");
+ return -1;
+ }
+ }
+ }
+
+ /* Finally, add the permset to the access ACL. */
+ int set_result = set_acl_entry(&acl, entry);
+ if (set_result == -1) {
+ perror("reapply_default_acl_ng (set_acl_entry)");
+ return -1;
+ }
+
+ result = acl_get_entry(defacl, ACL_NEXT_ENTRY, &entry);
+ }
+
+ /* Catches the first acl_get_entry as well as the ones at the end of
+ the loop. */
+ if (result == -1) {
+ perror("reapply_default_acl_ng (acl_get_entry)");
+ return -1;
+ }
+
+ int sf_result = acl_set_file(path, ACL_TYPE_ACCESS, acl);
+ if (sf_result == -1) {
+ perror("reapply_default_acl_ng (acl_set_file)");
+ return -1;
+ }
+
+ return 1;
+}
+
+