+int has_default_user_obj_execute(const char* path) {
+ return has_default_tag_perm(path, ACL_USER_OBJ, ACL_EXECUTE);
+}
+
+int has_default_group_obj_read(const char* path) {
+ return has_default_tag_perm(path, ACL_GROUP_OBJ, ACL_READ);
+}
+
+int has_default_group_obj_write(const char* path) {
+ return has_default_tag_perm(path, ACL_GROUP_OBJ, ACL_WRITE);
+}
+
+int has_default_group_obj_execute(const char* path) {
+ return has_default_tag_perm(path, ACL_GROUP_OBJ, ACL_EXECUTE);
+}
+
+int has_default_other_read(const char* path) {
+ return has_default_tag_perm(path, ACL_OTHER, ACL_READ);
+}
+
+int has_default_other_write(const char* path) {
+ return has_default_tag_perm(path, ACL_OTHER, ACL_WRITE);
+}
+
+int has_default_other_execute(const char* path) {
+ return has_default_tag_perm(path, ACL_OTHER, ACL_EXECUTE);
+}
+
+int has_default_mask_read(const char* path) {
+ return has_default_tag_perm(path, ACL_MASK, ACL_READ);
+}
+
+int has_default_mask_write(const char* path) {
+ return has_default_tag_perm(path, ACL_MASK, ACL_WRITE);
+}
+
+int has_default_mask_execute(const char* path) {
+ return has_default_tag_perm(path, ACL_MASK, ACL_EXECUTE);
+}
+
+
+int reapply_default_acl(const char* path) {
+ /* If this is a normal file or directory (i.e. that has just been
+ created), we proceed to find its parent directory which will have
+ a default ACL.
+
+ Returns one for success, zero for failure (i.e. no ACL), and -1
+ on unexpected errors. */
+ if (path == NULL) {
+ return 0;
+ }
+
+ if (!is_regular_file(path) && !is_directory(path)) {
+ return 0;
+ }
+
+ /* dirname mangles its argument */
+ char path_copy[PATH_MAX];
+ strncpy(path_copy, path, PATH_MAX-1);
+ path_copy[PATH_MAX-1] = 0;
+
+ char* parent = dirname(path_copy);
+ if (!is_directory(parent)) {
+ /* Make sure dirname() did what we think it did. */
+ return 0;
+ }
+
+ /* This is the original mode of path. We will simply add permissions
+ to it, and then later reapply the result via chmod. */
+ mode_t path_mode = get_mode(path);
+
+ if (has_default_mask_acl(parent)) {
+ /* The parent has an extended ACL. Extended ACLs use the mask
+ entry. */
+
+ /* For the group bits, we'll use the ACL's mask instead of the group
+ object bits. If the default ACL had a group entry, it should
+ already have propagated (but might be masked). */
+ if (has_default_mask_read(parent)) {
+ path_mode |= S_IRGRP;
+ }
+ else {
+ path_mode &= ~S_IRGRP;
+ }
+
+ if (has_default_mask_write(parent)) {
+ path_mode |= S_IWGRP;
+ }
+ else {
+ path_mode &= ~S_IWGRP;
+ }
+
+ if (!mode_has_perm(path_mode, S_IXGRP)) {
+ /* The group ACL entry should already have been inherited from the
+ default ACL. If the source was not group executable, we want to
+ modify the destination so that it is not group executable
+ either. In the presence of ACLs, the group permissions come not
+ from the mode bits, but from the group:: ACL entry. So, to do
+ this, we remove the group::x entry. */
+ remove_access_group_obj_execute(path);
+ }
+
+ /* We need to determine whether or not to mask the execute
+ bit. This applies not only to the user/group/other entries, but
+ also to all other named entries. If the original file wasn't
+ executable, then the result probably should not be. To
+ determine whether or not "it was executable", we rely on the
+ user execute bits. Obviously this should be done before we
+ twiddle that bit. */
+ if (has_default_mask_execute(parent)) {
+ if (mode_has_perm(path_mode, S_IXUSR)) {
+ /* This just adds the group execute bit, and doesn't actually
+ grant group execute permissions. */
+ path_mode |= S_IXGRP;
+ }
+ }
+ else {
+ path_mode &= ~S_IXGRP;
+ }
+
+ }
+ else {
+ /* It's a minimal ACL. We'll repeat for the group bits what we
+ already did for the owner/other bits. */
+ if (has_default_group_obj_acl(parent)) {
+ if (has_default_group_obj_read(parent)) {
+ path_mode |= S_IRGRP;
+ }
+ else {
+ path_mode &= ~S_IRGRP;
+ }
+
+
+ if (has_default_group_obj_write(parent)) {
+ path_mode |= S_IWGRP;
+ }
+ else {
+ path_mode &= ~S_IWGRP;
+ }
+
+ /* We don't want to set the execute bit on via the ACL unless it
+ was on originally. */
+ if (!has_default_group_obj_execute(parent)) {
+ path_mode &= ~S_IXGRP;
+ }
+ }
+ }
+
+
+ /* If parent has a default user ACL, apply it. */
+ if (has_default_user_obj_acl(parent)) {
+
+ if (has_default_user_obj_read(parent)) {
+ /* Add user read. */
+ path_mode |= S_IRUSR;
+ }
+ else {
+ /* Remove user read. */
+ path_mode &= ~S_IRUSR;
+ }
+
+
+ if (has_default_user_obj_write(parent)) {
+ /* Add user write. */
+ path_mode |= S_IWUSR;
+ }
+ else {
+ /* Remove user write. */
+ path_mode &= ~S_IWUSR;
+ }
+
+
+ /* We don't want to set the execute bit on via the ACL unless it
+ was on originally. */
+ if (!has_default_user_obj_execute(parent)) {
+ /* Remove user execute. */
+ path_mode &= ~S_IXUSR;
+ }
+ }
+
+
+ /* Do the same thing with the other perms/ACL. */
+ if (has_default_other_acl(parent)) {
+
+ if (has_default_other_read(parent)) {
+ path_mode |= S_IROTH;
+ }
+ else {
+ path_mode &= ~S_IROTH;
+ }
+
+
+ if (has_default_other_write(parent)) {
+ path_mode |= S_IWOTH;
+ }
+ else {
+ path_mode &= ~S_IWOTH;
+ }
+
+
+ /* We don't want to set the execute bit on via the ACL unless it
+ was on originally. */
+ if (!has_default_other_execute(parent)) {
+ path_mode &= ~S_IXOTH;
+ }
+ }
+
+ int chmod_result = chmod(path, path_mode);
+ if (chmod_result == 0) {
+ return 1;
+ }
+ else {
+ return 0;
+ }
+}
+
+