Fix bug brought up by Ken Cross that empty ACE's cause existing ACE's to

be applied to new ACE set calls. This is incorrect. Don't think this
has a bugzilla id.
Jeremy.
(This used to be commit 6a4502b03b)

source3/smbd/posix_acls.c

@@ -605,14 +605,6 @@ static BOOL ensure_canon_entry_valid(canon_ace **pp_ace,
 	BOOL got_other = False;
 	canon_ace *pace_other = NULL;
 	canon_ace *pace_group = NULL;
-	connection_struct *conn = fsp->conn;
-	SMB_ACL_T current_posix_acl = NULL;
-	mode_t current_user_perms = 0;
-	mode_t current_grp_perms = 0;
-	mode_t current_other_perms = 0;
-	BOOL got_current_user = False;
-	BOOL got_current_grp = False;
-	BOOL got_current_other = False;
 
 	for (pace = *pp_ace; pace; pace = pace->next) {
 		if (pace->type == SMB_ACL_USER_OBJ) {
@@ -715,9 +707,6 @@ static BOOL ensure_canon_entry_valid(canon_ace **pp_ace,
 		pace->attr = ALLOW_ACE;
 
 		if (setting_acl) {
-			if (got_current_user) {
-				pace->perms = current_user_perms;
-			} else {
 			/* If we only got an "everyone" perm, just use that. */
 			if (!got_grp && got_other)
 				pace->perms = pace_other->perms;
@@ -726,8 +715,6 @@ static BOOL ensure_canon_entry_valid(canon_ace **pp_ace,
 			else
 				pace->perms = 0;
 
-			}
-
 			apply_default_perms(fsp, pace, S_IRUSR);
 		} else {
 			pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRUSR, S_IWUSR, S_IXUSR);
@@ -749,15 +736,11 @@ static BOOL ensure_canon_entry_valid(canon_ace **pp_ace,
 		pace->trustee = *pfile_grp_sid;
 		pace->attr = ALLOW_ACE;
 		if (setting_acl) {
-			if (got_current_grp) {
-				pace->perms = current_grp_perms;
-			} else {
 			/* If we only got an "everyone" perm, just use that. */
 			if (got_other)
 				pace->perms = pace_other->perms;
 			else
-					pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRGRP, S_IWGRP, S_IXGRP);
+				pace->perms = 0;
-			}
 			apply_default_perms(fsp, pace, S_IRGRP);
 		} else {
 			pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRGRP, S_IWGRP, S_IXGRP);
@@ -779,9 +762,6 @@ static BOOL ensure_canon_entry_valid(canon_ace **pp_ace,
 		pace->trustee = global_sid_World;
 		pace->attr = ALLOW_ACE;
 		if (setting_acl) {
-			if (got_current_other)
-				pace->perms = current_other_perms;
-			else
 			pace->perms = 0;
 			apply_default_perms(fsp, pace, S_IROTH);
 		} else
@@ -2351,7 +2331,7 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
 		int nt_acl_type;
 		int i;
 
-		if (nt4_compatible_acls()) {
+		if (nt4_compatible_acls() && dir_ace) {
 			/*
 			 * NT 4 chokes if an ACL contains an INHERIT_ONLY entry
 			 * but no non-INHERIT_ONLY entry for one SID. So we only
@@ -2364,9 +2344,6 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
 			 * case will still fail under NT 4.
 			 */
 
-			if (!dir_ace)
-				goto simplify_file_ace_only;
-
 			ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);
 			if (ace && !ace->perms) {
 				DLIST_REMOVE(dir_ace, ace);
@@ -2413,20 +2390,6 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
 				DLIST_REMOVE(dir_ace, ace);
 				SAFE_FREE(ace);
 			}
-
- simplify_file_ace_only:
-
-			ace = canon_ace_entry_for(file_ace, SMB_ACL_OTHER, NULL);
-			if (ace && !ace->perms) {
-				DLIST_REMOVE(file_ace, ace);
-				SAFE_FREE(ace);
-			}
-
-			ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL);
-			if (ace && !ace->perms) {
-				DLIST_REMOVE(file_ace, ace);
-				SAFE_FREE(ace);
-			}
 		}
 
 		num_acls = count_canon_ace_list(file_ace);