1 files changed, 8 insertions, 11 deletions

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 0be7bec47f..5c9c4b89d4 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1409,32 +1409,29 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
 		pace->unix_ug.uid = pst->st_ex_uid;
 		pace->trustee = *pfile_owner_sid;
 		pace->attr = ALLOW_ACE;
-		/* Start with existing permissions, principle of least
-		   surprises for the user. */
-		pace->perms = pst->st_ex_mode;
 
 		if (setting_acl) {
 			/* See if the owning user is in any of the other groups in
-			   the ACE, or if there's a matching user entry.
-			   If so, OR in the permissions from that entry. */
+			   the ACE. If so, OR in the permissions from that group. */
 
+			bool group_matched = False;
 			canon_ace *pace_iter;
 
 			for (pace_iter = *pp_ace; pace_iter; pace_iter = pace_iter->next) {
-				if (pace_iter->type == SMB_ACL_USER &&
-						pace_iter->unix_ug.uid == pace->unix_ug.uid) {
-					pace->perms |= pace_iter->perms;
-				} else if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
+				if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
 					if (uid_entry_in_group(conn, pace, pace_iter)) {
 						pace->perms |= pace_iter->perms;
+						group_matched = True;
 					}
 				}
 			}
 
-			if (pace->perms == 0) {
-				/* If we only got an "everyone" perm, just use that. */
+			/* If we only got an "everyone" perm, just use that. */
+			if (!group_matched) {
 				if (got_other)
 					pace->perms = pace_other->perms;
+				else
+					pace->perms = 0;
 			}
 
 			apply_default_perms(params, is_directory, pace, S_IRUSR);