1 files changed, 13 insertions, 8 deletions

diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc
index 929e8a32e..9c94c7053 100644
--- a/winsup/cygwin/security.cc
+++ b/winsup/cygwin/security.cc
@@ -777,14 +777,19 @@ alloc_sd (path_conv &pc, uid_t uid, gid_t gid, int attribute,
 	      ace->Header.AceFlags &= ~INHERITED_ACE;
 	    }
 	  else if (uid == ILLEGAL_UID && gid == ILLEGAL_UID
-		   && ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
-	  /* FIXME: Temporary workaround for the problem that chmod does
-	     not affect the group permissions if other users and groups
-	     in the ACL have more permissions than the primary group due
-	     to the CLASS_OBJ emulation.  The temporary workaround is to
-	     disallow any secondary ACE in the ACL more permissions than
-	     the primary group when writing a new ACL via chmod. */
-	    ace->Mask &= group_allow;
+		   && ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE
+		   && ace_sid != well_known_creator_group_sid
+		   && ace_sid != well_known_creator_owner_sid
+		   && ace_sid != well_known_world_sid)
+	    {
+	      /* FIXME: Temporary workaround for the problem that chmod does
+		 not affect the group permissions if other users and groups
+		 in the ACL have more permissions than the primary group due
+		 to the CLASS_OBJ emulation.  The temporary workaround is to
+		 disallow any secondary ACE in the ACL more permissions than
+		 the primary group when writing a new ACL via chmod. */
+	      ace->Mask &= group_allow;
+	    }
 	  /* Add unrelated ACCESS_DENIED_ACE to the beginning but behind
 	     the owner_deny, ACCESS_ALLOWED_ACE to the end.  FIXME: this
 	     would break the order of the inherit-only ACEs. */