diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index afe851f59..34111d538 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,3 +1,9 @@
+2014-09-03  Corinna Vinschen  <corinna@vinschen.de>
+
+	* sec_acl.cc (aclcheck32): Check for required default entries as well.
+	Enable check for missing CLASS_OBJ entries, now that setfacl creates
+	them.
+
 2014-09-02  Corinna Vinschen  <corinna@vinschen.de>
 
 	* sec_acl.cc (aclsort32): Set errno to EINVAL if aclcheck32 failed.
diff --git a/winsup/cygwin/sec_acl.cc b/winsup/cygwin/sec_acl.cc
index fab77c99a..51f1c9964 100644
--- a/winsup/cygwin/sec_acl.cc
+++ b/winsup/cygwin/sec_acl.cc
@@ -628,6 +628,7 @@ aclcheck32 (aclent_t *aclbufp, int nentries, int *which)
   bool has_other_obj = false;
   bool has_class_obj = false;
   bool has_ug_objs __attribute__ ((unused)) = false;
+  bool has_def_objs __attribute__ ((unused)) = false;
   bool has_def_user_obj __attribute__ ((unused)) = false;
   bool has_def_group_obj = false;
   bool has_def_other_obj = false;
@@ -692,7 +693,7 @@ aclcheck32 (aclent_t *aclbufp, int nentries, int *which)
 	      *which = pos;
 	    return USER_ERROR;
 	  }
-	has_def_user_obj = true;
+	has_def_objs = has_def_user_obj = true;
 	break;
       case DEF_GROUP_OBJ:
 	if (has_def_group_obj)
@@ -701,7 +702,7 @@ aclcheck32 (aclent_t *aclbufp, int nentries, int *which)
 	      *which = pos;
 	    return GRP_ERROR;
 	  }
-	has_def_group_obj = true;
+	has_def_objs = has_def_group_obj = true;
 	break;
       case DEF_OTHER_OBJ:
 	if (has_def_other_obj)
@@ -710,7 +711,7 @@ aclcheck32 (aclent_t *aclbufp, int nentries, int *which)
 	      *which = pos;
 	    return OTHER_ERROR;
 	  }
-	has_def_other_obj = true;
+	has_def_objs = has_def_other_obj = true;
 	break;
       case DEF_CLASS_OBJ:
 	if (has_def_class_obj)
@@ -719,7 +720,7 @@ aclcheck32 (aclent_t *aclbufp, int nentries, int *which)
 	      *which = pos;
 	    return CLASS_ERROR;
 	  }
-	has_def_class_obj = true;
+	has_def_objs = has_def_class_obj = true;
 	break;
       case DEF_USER:
       case DEF_GROUP:
@@ -730,7 +731,7 @@ aclcheck32 (aclent_t *aclbufp, int nentries, int *which)
 	      *which = pos2;
 	    return DUPLICATE_ERROR;
 	  }
-	has_def_ug_objs = true;
+	has_def_objs = has_def_ug_objs = true;
 	break;
       default:
 	return ENTRY_ERROR;
@@ -738,11 +739,10 @@ aclcheck32 (aclent_t *aclbufp, int nentries, int *which)
   if (!has_user_obj
       || !has_group_obj
       || !has_other_obj
-#if 0
-      /* These checks are not ok yet since CLASS_OBJ isn't fully implemented. */
+      || (has_def_objs
+	  && (!has_def_user_obj || !has_def_group_obj || !has_def_other_obj))
       || (has_ug_objs && !has_class_obj)
       || (has_def_ug_objs && !has_def_class_obj)
-#endif
      )
     {
       if (which)