diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index 02dc26644..0c3361fcf 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,3 +1,11 @@
+2008-10-13  Corinna Vinschen  <corinna@vinschen.de>
+
+	* sec_acl.cc (setacl): Align standard owner and group permissions
+	with alloc_sd.  Strip FILE_READ_ATTRIBUTES fromn setting
+	FILE_GENERIC_EXECUTE permissions same as in alloc_sd.
+	* security.cc (alloc_sd): Reformat expression.  Strip EA permission
+	bits from owner_deny and group_deny computation.
+
 2008-10-09  Corinna Vinschen  <corinna@vinschen.de>
 
 	* fhandler_disk_file.cc (fhandler_base::fstat_helper): Check
diff --git a/winsup/cygwin/sec_acl.cc b/winsup/cygwin/sec_acl.cc
index efee4e6e8..2496ce0e5 100644
--- a/winsup/cygwin/sec_acl.cc
+++ b/winsup/cygwin/sec_acl.cc
@@ -104,18 +104,21 @@ setacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp,
       DWORD allow;
       /* Owner has more standard rights set. */
       if ((aclbufp[i].a_type & ~ACL_DEFAULT) == USER_OBJ)
-	allow = STANDARD_RIGHTS_ALL | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA;
+	allow = STANDARD_RIGHTS_ALL
+		| (pc.fs_is_samba ()
+		   ? 0 : (FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES));
       else
-	allow = STANDARD_RIGHTS_READ | FILE_READ_ATTRIBUTES | FILE_READ_EA;
+	allow = STANDARD_RIGHTS_READ
+		| (pc.fs_is_samba () ? 0 : FILE_READ_ATTRIBUTES);
       if (aclbufp[i].a_perm & S_IROTH)
 	allow |= FILE_GENERIC_READ;
       if (aclbufp[i].a_perm & S_IWOTH)
 	{
-	  allow |= STANDARD_RIGHTS_WRITE | FILE_GENERIC_WRITE;
+	  allow |= FILE_GENERIC_WRITE;
 	  writable = true;
 	}
       if (aclbufp[i].a_perm & S_IXOTH)
-	allow |= FILE_GENERIC_EXECUTE;
+	allow |= FILE_GENERIC_EXECUTE & ~FILE_READ_ATTRIBUTES;
       if ((aclbufp[i].a_perm & (S_IWOTH | S_IXOTH)) == (S_IWOTH | S_IXOTH))
 	allow |= FILE_DELETE_CHILD;
       /* Set inherit property. */
diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc
index 58c740e21..66dc93c98 100644
--- a/winsup/cygwin/security.cc
+++ b/winsup/cygwin/security.cc
@@ -479,8 +479,8 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute,
     owner_allow |= FILE_DELETE_CHILD;
 
   /* Construct allow attribute for group. */
-  DWORD group_allow = STANDARD_RIGHTS_READ |
-		      (pc.fs_is_samba () ? 0 : FILE_READ_ATTRIBUTES);
+  DWORD group_allow = STANDARD_RIGHTS_READ
+		      | (pc.fs_is_samba () ? 0 : FILE_READ_ATTRIBUTES);
   if (attribute & S_IRGRP)
     group_allow |= FILE_GENERIC_READ;
   if (attribute & S_IWGRP)
@@ -526,12 +526,10 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute,
 
   DWORD owner_deny = ~owner_allow & (group_allow | other_allow);
   owner_deny &= ~(STANDARD_RIGHTS_READ
-		  | FILE_READ_ATTRIBUTES | FILE_READ_EA
-		  | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA);
+		  | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES);
 
   DWORD group_deny = ~group_allow & other_allow;
-  group_deny &= ~(STANDARD_RIGHTS_READ
-		  | FILE_READ_ATTRIBUTES | FILE_READ_EA);
+  group_deny &= ~(STANDARD_RIGHTS_READ | FILE_READ_ATTRIBUTES);
 
   /* Set deny ACE for owner. */
   if (owner_deny