Fixed processing umask when Posix ACLs are compiled in but not enabled

When Posix ACLs are used, the umask is ignored and the initial permissions
of created files are taken for the parent directory. However the umask
should still be used when the Posix ACLs are not enabled in the mount
options.

include/ntfs-3g/acls.h

@@ -170,6 +170,9 @@ int ntfs_merge_mode_posix(struct POSIX_SECURITY *pxdesc, mode_t mode);
 struct POSIX_SECURITY *ntfs_build_inherited_posix(
 		const struct POSIX_SECURITY *pxdesc, mode_t mode,
 		mode_t umask, BOOL isdir);
+struct POSIX_SECURITY *ntfs_build_basic_posix(
+		const struct POSIX_SECURITY *pxdesc, mode_t mode,
+		mode_t umask, BOOL isdir);
 struct POSIX_SECURITY *ntfs_replace_acl(const struct POSIX_SECURITY *oldpxdesc,
 		const struct POSIX_ACL *newacl, int count, BOOL deflt);
 struct POSIX_SECURITY *ntfs_build_permissions_posix(

libntfs-3g/acls.c

@@ -1303,6 +1303,45 @@ struct POSIX_SECURITY *ntfs_replace_acl(const struct POSIX_SECURITY *oldpxdesc,
 	return (newpxdesc);
 }
 
+struct POSIX_SECURITY *ntfs_build_basic_posix(
+		const struct POSIX_SECURITY *pxdesc __attribute__((unused)),
+		mode_t mode, mode_t mask, BOOL isdir __attribute__((unused)))
+{
+	struct POSIX_SECURITY *pydesc;
+	struct POSIX_ACE *pyace;
+
+	pydesc = (struct POSIX_SECURITY*)malloc(
+		sizeof(struct POSIX_SECURITY) + 3*sizeof(struct POSIX_ACE));
+	if (pydesc) {
+			/*
+			 * Copy inherited tags and adapt perms
+			 * Use requested mode, ignoring umask
+			 * (not possible with older versions of fuse)
+			 */
+		pyace = &pydesc->acl.ace[0];
+		pyace->tag = POSIX_ACL_USER_OBJ;
+		pyace->perms = ((mode & ~mask) >> 6) & 7;
+		pyace->id = -1;
+		pyace = &pydesc->acl.ace[1];
+		pyace->tag = POSIX_ACL_GROUP_OBJ;
+		pyace->perms = ((mode & ~mask) >> 3) & 7;
+		pyace->id = -1;
+		pyace = &pydesc->acl.ace[2];
+		pyace->tag = POSIX_ACL_OTHER;
+		pyace->perms = (mode & ~mask) & 7;
+		pyace->id = -1;
+		pydesc->mode = mode;
+		pydesc->tagsset = POSIX_ACL_USER_OBJ
+				| POSIX_ACL_GROUP_OBJ
+				| POSIX_ACL_OTHER;
+		pydesc->acccnt = 3;
+		pydesc->defcnt = 0;
+		pydesc->firstdef = 6;
+	} else
+		errno = ENOMEM;
+	return (pydesc);
+}
+
 /*
  *		Build an inherited Posix descriptor from parent
  *	descriptor (if any) restricted to creation mode

libntfs-3g/security.c

@@ -2503,8 +2503,12 @@ static struct POSIX_SECURITY *inherit_posix(struct SECURITY_CONTEXT *scx,
 		gid = cached->gid;
 		pxdesc = cached->pxdesc;
 		if (pxdesc) {
-			pydesc = ntfs_build_inherited_posix(pxdesc,mode,
-					scx->umask,isdir);
+			if (scx->vol->secure_flags & (1 << SECURITY_ACL))
+				pydesc = ntfs_build_inherited_posix(pxdesc,
+					mode, scx->umask, isdir);
+			else
+				pydesc = ntfs_build_basic_posix(pxdesc,
+					mode, scx->umask, isdir);
 		}
 	} else {
 		securattr = getsecurityattr(scx->vol, dir_ni);
@@ -2548,8 +2552,15 @@ static struct POSIX_SECURITY *inherit_posix(struct SECURITY_CONTEXT *scx,
 					enter_cache(scx, dir_ni, uid,
 							gid, pxdesc);
 				}
-				pydesc = ntfs_build_inherited_posix(pxdesc,
-					mode, scx->umask, isdir);
+				if (scx->vol->secure_flags
+							& (1 << SECURITY_ACL))
+					pydesc = ntfs_build_inherited_posix(
+						pxdesc, mode,
+						scx->umask, isdir);
+				else
+					pydesc = ntfs_build_basic_posix(
+						pxdesc, mode,
+						scx->umask, isdir);
 				free(pxdesc);
 			}
 			free(securattr);

src/lowntfs-3g.c

@@ -2698,6 +2698,7 @@ static ntfs_inode *ntfs_check_access_xattr(fuse_req_t req,
 	if (((!ntfs_fuse_fill_security_context(req, security)
 		|| (ctx->secure_flags
 		    & ((1 << SECURITY_DEFAULT) | (1 << SECURITY_RAW))))
+		|| !(ctx->secure_flags & (1 << SECURITY_ACL))
 		|| (setting && ctx->inherit))
 	    && foracl) {
 		if (ctx->silent)

src/ntfs-3g.c

@@ -2536,6 +2536,7 @@ static ntfs_inode *ntfs_check_access_xattr(struct SECURITY_CONTEXT *security,
 		if (((!ntfs_fuse_fill_security_context(security)
 			|| (ctx->secure_flags
 			    & ((1 << SECURITY_DEFAULT) | (1 << SECURITY_RAW))))
+			|| !(ctx->secure_flags & (1 << SECURITY_ACL))
 			|| (setting && ctx->inherit))
 		    && foracl) {
 			if (ctx->silent)