acls.diff   [plain text]


To use this patch, run these commands for a successful build:

    patch -p1 <patches/acls.diff
    ./prepare-source
    ./configure --enable-acl-support
    make

See the --acls (-A) option in the revised man page for a note on using this
latest ACL-enabling patch to send files to an older ACL-enabled rsync.

--- old/Makefile.in
+++ new/Makefile.in
@@ -26,15 +26,15 @@ VERSION=@VERSION@
 .SUFFIXES:
 .SUFFIXES: .c .o
 
-HEADERS=byteorder.h config.h errcode.h proto.h rsync.h lib/pool_alloc.h
+HEADERS=byteorder.h config.h errcode.h proto.h rsync.h smb_acls.h lib/pool_alloc.h
 LIBOBJ=lib/wildmatch.o lib/compat.o lib/snprintf.o lib/mdfour.o \
-	lib/permstring.o lib/pool_alloc.o @LIBOBJS@
+	lib/permstring.o lib/pool_alloc.o lib/sysacls.o @LIBOBJS@
 ZLIBOBJ=zlib/deflate.o zlib/inffast.o zlib/inflate.o zlib/inftrees.o \
 	zlib/trees.o zlib/zutil.o zlib/adler32.o zlib/compress.o zlib/crc32.o
 OBJS1=rsync.o generator.o receiver.o cleanup.o sender.o exclude.o util.o \
 	main.o checksum.o match.o syscall.o log.o backup.o
 OBJS2=options.o flist.o io.o compat.o hlink.o token.o uidlist.o socket.o \
-	fileio.o batch.o clientname.o chmod.o
+	fileio.o batch.o clientname.o chmod.o acls.o
 OBJS3=progress.o pipe.o
 DAEMON_OBJ = params.o loadparm.o clientserver.o access.o connection.o authenticate.o
 popt_OBJS=popt/findme.o  popt/popt.o  popt/poptconfig.o \
--- old/acls.c
+++ new/acls.c
@@ -0,0 +1,1098 @@
+/*
+ * Handle passing Access Control Lists between systems.
+ *
+ * Copyright (C) 1996 Andrew Tridgell
+ * Copyright (C) 1996 Paul Mackerras
+ * Copyright (C) 2006 Wayne Davison
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+
+#include "rsync.h"
+#include "lib/sysacls.h"
+
+#ifdef SUPPORT_ACLS
+
+extern int dry_run;
+extern int read_only;
+extern int list_only;
+extern int orig_umask;
+extern int preserve_acls;
+extern unsigned int file_struct_len;
+
+/* === ACL structures === */
+
+typedef struct {
+	id_t id;
+	uchar access;
+} id_access;
+
+typedef struct {
+	id_access *idas;
+	int count;
+} ida_entries;
+
+#define NO_ENTRY ((uchar)0x80)
+typedef struct rsync_acl {
+	ida_entries users;
+	ida_entries groups;
+	/* These will be NO_ENTRY if there's no such entry. */
+	uchar user_obj;
+	uchar group_obj;
+	uchar mask;
+	uchar other;
+} rsync_acl;
+
+typedef struct {
+	rsync_acl racl;
+	SMB_ACL_T sacl;
+} acl_duo;
+
+static const rsync_acl empty_rsync_acl = {
+	{NULL, 0}, {NULL, 0}, NO_ENTRY, NO_ENTRY, NO_ENTRY, NO_ENTRY
+};
+
+static item_list access_acl_list = EMPTY_ITEM_LIST;
+static item_list default_acl_list = EMPTY_ITEM_LIST;
+
+/* === Calculations on ACL types === */
+
+static const char *str_acl_type(SMB_ACL_TYPE_T type)
+{
+	return type == SMB_ACL_TYPE_ACCESS ? "SMB_ACL_TYPE_ACCESS"
+	     : type == SMB_ACL_TYPE_DEFAULT ? "SMB_ACL_TYPE_DEFAULT"
+	     : "unknown SMB_ACL_TYPE_T";
+}
+
+#define OTHER_TYPE(t) (SMB_ACL_TYPE_ACCESS+SMB_ACL_TYPE_DEFAULT-(t))
+#define BUMP_TYPE(t) ((t = OTHER_TYPE(t)) == SMB_ACL_TYPE_DEFAULT)
+
+static int count_racl_entries(const rsync_acl *racl)
+{
+	return racl->users.count + racl->groups.count
+	     + (racl->user_obj != NO_ENTRY)
+	     + (racl->group_obj != NO_ENTRY)
+	     + (racl->mask != NO_ENTRY)
+	     + (racl->other != NO_ENTRY);
+}
+
+static int calc_sacl_entries(const rsync_acl *racl)
+{
+	/* A System ACL always gets user/group/other permission entries. */
+	return racl->users.count + racl->groups.count
+#ifdef ACLS_NEED_MASK
+	     + 4;
+#else
+	     + (racl->mask != NO_ENTRY) + 3;
+#endif
+}
+
+/* Extracts and returns the permission bits from the ACL.  This cannot be
+ * called on an rsync_acl that has NO_ENTRY in any spot but the mask. */
+static int rsync_acl_get_perms(const rsync_acl *racl)
+{
+	return (racl->user_obj << 6)
+	     + ((racl->mask != NO_ENTRY ? racl->mask : racl->group_obj) << 3)
+	     + racl->other;
+}
+
+/* Removes the permission-bit entries from the ACL because these
+ * can be reconstructed from the file's mode. */
+static void rsync_acl_strip_perms(rsync_acl *racl)
+{
+	racl->user_obj = NO_ENTRY;
+	if (racl->mask == NO_ENTRY)
+		racl->group_obj = NO_ENTRY;
+	else {
+		if (racl->group_obj == racl->mask)
+			racl->group_obj = NO_ENTRY;
+		racl->mask = NO_ENTRY;
+	}
+	racl->other = NO_ENTRY;
+}
+
+/* Given an empty rsync_acl, fake up the permission bits. */
+static void rsync_acl_fake_perms(rsync_acl *racl, mode_t mode)
+{
+	racl->user_obj = (mode >> 6) & 7;
+	racl->group_obj = (mode >> 3) & 7;
+	racl->other = mode & 7;
+}
+
+/* === Rsync ACL functions === */
+
+static BOOL ida_entries_equal(const ida_entries *ial1, const ida_entries *ial2)
+{
+	id_access *ida1, *ida2;
+	int count = ial1->count;
+	if (count != ial2->count)
+		return False;
+	ida1 = ial1->idas;
+	ida2 = ial2->idas;
+	for (; count--; ida1++, ida2++) {
+		if (ida1->access != ida2->access || ida1->id != ida2->id)
+			return False;
+	}
+	return True;
+}
+
+static BOOL rsync_acl_equal(const rsync_acl *racl1, const rsync_acl *racl2)
+{
+	return racl1->user_obj == racl2->user_obj
+	    && racl1->group_obj == racl2->group_obj
+	    && racl1->mask == racl2->mask
+	    && racl1->other == racl2->other
+	    && ida_entries_equal(&racl1->users, &racl2->users)
+	    && ida_entries_equal(&racl1->groups, &racl2->groups);
+}
+
+/* Are the extended (non-permission-bit) entries equal?  If so, the rest of
+ * the ACL will be handled by the normal mode-preservation code.  This is
+ * only meaningful for access ACLs!  Note: the 1st arg is a fully-populated
+ * rsync_acl, but the 2nd parameter can be a condensed rsync_acl, which means
+ * that it might have several of its permission objects set to NO_ENTRY. */
+static BOOL rsync_acl_equal_enough(const rsync_acl *racl1,
+				   const rsync_acl *racl2, mode_t m)
+{
+	if ((racl1->mask ^ racl2->mask) & NO_ENTRY)
+		return False; /* One has a mask and the other doesn't */
+
+	/* When there's a mask, the group_obj becomes an extended entry. */
+	if (racl1->mask != NO_ENTRY) {
+		/* A condensed rsync_acl with a mask can only have no
+		 * group_obj when it was identical to the mask.  This
+		 * means that it was also identical to the group attrs
+		 * from the mode. */
+		if (racl2->group_obj == NO_ENTRY) {
+			if (racl1->group_obj != ((m >> 3) & 7))
+				return False;
+		} else if (racl1->group_obj != racl2->group_obj)
+			return False;
+	}
+	return ida_entries_equal(&racl1->users, &racl2->users)
+	    && ida_entries_equal(&racl1->groups, &racl2->groups);
+}
+
+static void rsync_acl_free(rsync_acl *racl)
+{
+	if (racl->users.idas)
+		free(racl->users.idas);
+	if (racl->groups.idas)
+		free(racl->groups.idas);
+	*racl = empty_rsync_acl;
+}
+
+void free_acl(statx *sxp)
+{
+	if (sxp->acc_acl) {
+		rsync_acl_free(sxp->acc_acl);
+		free(sxp->acc_acl);
+		sxp->acc_acl = NULL;
+	}
+	if (sxp->def_acl) {
+		rsync_acl_free(sxp->def_acl);
+		free(sxp->def_acl);
+		sxp->def_acl = NULL;
+	}
+}
+
+static int id_access_sorter(const void *r1, const void *r2)
+{
+	id_access *ida1 = (id_access *)r1;
+	id_access *ida2 = (id_access *)r2;
+	id_t rid1 = ida1->id, rid2 = ida2->id;
+	return rid1 == rid2 ? 0 : rid1 < rid2 ? -1 : 1;
+}
+
+static void sort_ida_entries(ida_entries *idal)
+{
+	if (!idal->count)
+		return;
+	qsort(idal->idas, idal->count, sizeof idal->idas[0], id_access_sorter);
+}
+
+/* Transfer the count id_access items out of the temp_ida_list into either
+ * the users or groups ida_entries list in racl. */
+static void save_idas(item_list *temp_ida_list, rsync_acl *racl, SMB_ACL_TAG_T type)
+{
+	id_access *idas;
+	ida_entries *ent;
+
+	if (temp_ida_list->count) {
+		int cnt = temp_ida_list->count;
+		id_access *temp_idas = temp_ida_list->items;
+		if (!(idas = new_array(id_access, cnt)))
+			out_of_memory("save_idas");
+		memcpy(idas, temp_idas, cnt * sizeof *temp_idas);
+	} else
+		idas = NULL;
+
+	ent = type == SMB_ACL_USER ? &racl->users : &racl->groups;
+
+	if (ent->count) {
+		rprintf(FERROR, "save_idas: disjoint list found for type %d\n", type);
+		exit_cleanup(RERR_UNSUPPORTED);
+	}
+	ent->count = temp_ida_list->count;
+	ent->idas = idas;
+
+	/* Truncate the temporary list now that its idas have been saved. */
+	temp_ida_list->count = 0;
+}
+
+/* === System ACLs === */
+
+/* Unpack system ACL -> rsync ACL verbatim.  Return whether we succeeded. */
+static BOOL unpack_smb_acl(rsync_acl *racl, SMB_ACL_T sacl)
+{
+	static item_list temp_ida_list = EMPTY_ITEM_LIST;
+	SMB_ACL_TAG_T prior_list_type = 0;
+	SMB_ACL_ENTRY_T entry;
+	const char *errfun;
+	int rc;
+
+	errfun = "sys_acl_get_entry";
+	for (rc = sys_acl_get_entry(sacl, SMB_ACL_FIRST_ENTRY, &entry);
+	     rc == 1;
+	     rc = sys_acl_get_entry(sacl, SMB_ACL_NEXT_ENTRY, &entry)) {
+		SMB_ACL_TAG_T tag_type;
+		SMB_ACL_PERMSET_T permset;
+		uchar access;
+		void *qualifier;
+		id_access *ida;
+		if ((rc = sys_acl_get_tag_type(entry, &tag_type))) {
+			errfun = "sys_acl_get_tag_type";
+			break;
+		}
+		if ((rc = sys_acl_get_permset(entry, &permset))) {
+			errfun = "sys_acl_get_tag_type";
+			break;
+		}
+		access = (sys_acl_get_perm(permset, SMB_ACL_READ) ? 4 : 0)
+		       | (sys_acl_get_perm(permset, SMB_ACL_WRITE) ? 2 : 0)
+		       | (sys_acl_get_perm(permset, SMB_ACL_EXECUTE) ? 1 : 0);
+		/* continue == done with entry; break == store in temporary ida list */
+		switch (tag_type) {
+		case SMB_ACL_USER_OBJ:
+			if (racl->user_obj == NO_ENTRY)
+				racl->user_obj = access;
+			else
+				rprintf(FINFO, "unpack_smb_acl: warning: duplicate USER_OBJ entry ignored\n");
+			continue;
+		case SMB_ACL_USER:
+			break;
+		case SMB_ACL_GROUP_OBJ:
+			if (racl->group_obj == NO_ENTRY)
+				racl->group_obj = access;
+			else
+				rprintf(FINFO, "unpack_smb_acl: warning: duplicate GROUP_OBJ entry ignored\n");
+			continue;
+		case SMB_ACL_GROUP:
+			break;
+		case SMB_ACL_MASK:
+			if (racl->mask == NO_ENTRY)
+				racl->mask = access;
+			else
+				rprintf(FINFO, "unpack_smb_acl: warning: duplicate MASK entry ignored\n");
+			continue;
+		case SMB_ACL_OTHER:
+			if (racl->other == NO_ENTRY)
+				racl->other = access;
+			else
+				rprintf(FINFO, "unpack_smb_acl: warning: duplicate OTHER entry ignored\n");
+			continue;
+		default:
+			rprintf(FINFO, "unpack_smb_acl: warning: entry with unrecognized tag type ignored\n");
+			continue;
+		}
+		if (!(qualifier = sys_acl_get_qualifier(entry))) {
+			errfun = "sys_acl_get_tag_type";
+			rc = EINVAL;
+			break;
+		}
+		if (tag_type != prior_list_type) {
+			if (prior_list_type)
+				save_idas(&temp_ida_list, racl, prior_list_type);
+			prior_list_type = tag_type;
+		}
+		ida = EXPAND_ITEM_LIST(&temp_ida_list, id_access, -10);
+		ida->id = *((id_t *)qualifier);
+		ida->access = access;
+		sys_acl_free_qualifier(qualifier, tag_type);
+	}
+	if (rc) {
+		rsyserr(FERROR, errno, "unpack_smb_acl: %s()", errfun);
+		rsync_acl_free(racl);
+		return False;
+	}
+	if (prior_list_type)
+		save_idas(&temp_ida_list, racl, prior_list_type);
+
+	sort_ida_entries(&racl->users);
+	sort_ida_entries(&racl->groups);
+
+#ifdef ACLS_NEED_MASK
+	if (!racl->users.count && !racl->groups.count && racl->mask != NO_ENTRY) {
+		/* Throw away a superfluous mask, but mask off the
+		 * group perms with it first. */
+		racl->group_obj &= racl->mask;
+		racl->mask = NO_ENTRY;
+	}
+#endif
+
+	return True;
+}
+
+/* Synactic sugar for system calls */
+
+#define CALL_OR_ERROR(func,args,str) \
+	do { \
+		if (func args) { \
+			errfun = str; \
+			goto error_exit; \
+		} \
+	} while (0)
+
+#define COE(func,args) CALL_OR_ERROR(func,args,#func)
+#define COE2(func,args) CALL_OR_ERROR(func,args,NULL)
+
+/* Store the permissions in the system ACL entry. */
+static int store_access_in_entry(uchar access, SMB_ACL_ENTRY_T entry)
+{
+	const char *errfun = NULL;
+	SMB_ACL_PERMSET_T permset;
+
+	COE( sys_acl_get_permset,(entry, &permset) );
+	COE( sys_acl_clear_perms,(permset) );
+	if (access & 4)
+		COE( sys_acl_add_perm,(permset, SMB_ACL_READ) );
+	if (access & 2)
+		COE( sys_acl_add_perm,(permset, SMB_ACL_WRITE) );
+	if (access & 1)
+		COE( sys_acl_add_perm,(permset, SMB_ACL_EXECUTE) );
+	COE( sys_acl_set_permset,(entry, permset) );
+
+	return 0;
+
+  error_exit:
+	rsyserr(FERROR, errno, "store_access_in_entry %s()", errfun);
+	return -1;
+}
+
+/* Pack rsync ACL -> system ACL verbatim.  Return whether we succeeded. */
+static BOOL pack_smb_acl(SMB_ACL_T *smb_acl, const rsync_acl *racl)
+{
+#ifdef ACLS_NEED_MASK
+	uchar mask_bits;
+#endif
+	size_t count;
+	id_access *ida;
+	const char *errfun = NULL;
+	SMB_ACL_ENTRY_T entry;
+
+	if (!(*smb_acl = sys_acl_init(calc_sacl_entries(racl)))) {
+		rsyserr(FERROR, errno, "pack_smb_acl: sys_acl_init()");
+		return False;
+	}
+
+	COE( sys_acl_create_entry,(smb_acl, &entry) );
+	COE( sys_acl_set_tag_type,(entry, SMB_ACL_USER_OBJ) );
+	COE2( store_access_in_entry,(racl->user_obj & 7, entry) );
+
+	for (ida = racl->users.idas, count = racl->users.count; count--; ida++) {
+		COE( sys_acl_create_entry,(smb_acl, &entry) );
+		COE( sys_acl_set_tag_type,(entry, SMB_ACL_USER) );
+		COE( sys_acl_set_qualifier,(entry, (void*)&ida->id) );
+		COE2( store_access_in_entry,(ida->access, entry) );
+	}
+
+	COE( sys_acl_create_entry,(smb_acl, &entry) );
+	COE( sys_acl_set_tag_type,(entry, SMB_ACL_GROUP_OBJ) );
+	COE2( store_access_in_entry,(racl->group_obj & 7, entry) );
+
+	for (ida = racl->groups.idas, count = racl->groups.count; count--; ida++) {
+		COE( sys_acl_create_entry,(smb_acl, &entry) );
+		COE( sys_acl_set_tag_type,(entry, SMB_ACL_GROUP) );
+		COE( sys_acl_set_qualifier,(entry, (void*)&ida->id) );
+		COE2( store_access_in_entry,(ida->access, entry) );
+	}
+
+#ifdef ACLS_NEED_MASK
+	mask_bits = racl->mask == NO_ENTRY ? racl->group_obj & 7 : racl->mask;
+	COE( sys_acl_create_entry,(smb_acl, &entry) );
+	COE( sys_acl_set_tag_type,(entry, SMB_ACL_MASK) );
+	COE2( store_access_in_entry,(mask_bits, entry) );
+#else
+	if (racl->mask != NO_ENTRY) {
+		COE( sys_acl_create_entry,(smb_acl, &entry) );
+		COE( sys_acl_set_tag_type,(entry, SMB_ACL_MASK) );
+		COE2( store_access_in_entry,(racl->mask, entry) );
+	}
+#endif
+
+	COE( sys_acl_create_entry,(smb_acl, &entry) );
+	COE( sys_acl_set_tag_type,(entry, SMB_ACL_OTHER) );
+	COE2( store_access_in_entry,(racl->other & 7, entry) );
+
+#ifdef DEBUG
+	if (sys_acl_valid(*smb_acl) < 0)
+		rprintf(FERROR, "pack_smb_acl: warning: system says the ACL I packed is invalid\n");
+#endif
+
+	return True;
+
+  error_exit:
+	if (errfun) {
+		rsyserr(FERROR, errno, "pack_smb_acl %s()", errfun);
+	}
+	sys_acl_free_acl(*smb_acl);
+	return False;
+}
+
+static int find_matching_rsync_acl(SMB_ACL_TYPE_T type,
+				   const item_list *racl_list,
+				   const rsync_acl *racl)
+{
+	static int access_match = -1, default_match = -1;
+	int *match = type == SMB_ACL_TYPE_ACCESS ? &access_match : &default_match;
+	size_t count = racl_list->count;
+
+	/* If this is the first time through or we didn't match the last
+	 * time, then start at the end of the list, which should be the
+	 * best place to start hunting. */
+	if (*match == -1)
+		*match = racl_list->count - 1;
+	while (count--) {
+		rsync_acl *base = racl_list->items;
+		if (rsync_acl_equal(base + *match, racl))
+			return *match;
+		if (!(*match)--)
+			*match = racl_list->count - 1;
+	}
+
+	*match = -1;
+	return *match;
+}
+
+/* Return the Access Control List for the given filename. */
+int get_acl(const char *fname, statx *sxp)
+{
+	SMB_ACL_TYPE_T type;
+
+	if (S_ISLNK(sxp->st.st_mode))
+		return 0;
+
+	type = SMB_ACL_TYPE_ACCESS;
+	do {
+		SMB_ACL_T sacl = sys_acl_get_file(fname, type);
+		rsync_acl *racl = new(rsync_acl);
+
+		if (!racl)
+			out_of_memory("get_acl");
+		*racl = empty_rsync_acl;
+		if (type == SMB_ACL_TYPE_ACCESS)
+			sxp->acc_acl = racl;
+		else
+			sxp->def_acl = racl;
+
+		if (sacl) {
+			BOOL ok = unpack_smb_acl(racl, sacl);
+
+			sys_acl_free_acl(sacl);
+			if (!ok) {
+				free_acl(sxp);
+				return -1;
+			}
+		} else if (errno == ENOTSUP) {
+			/* ACLs are not supported, so pretend we have a basic ACL. */
+			if (type == SMB_ACL_TYPE_ACCESS)
+				rsync_acl_fake_perms(racl, sxp->st.st_mode);
+		} else {
+			rsyserr(FERROR, errno, "get_acl: sys_acl_get_file(%s, %s)",
+				fname, str_acl_type(type));
+			free_acl(sxp);
+			return -1;
+		}
+	} while (BUMP_TYPE(type) && S_ISDIR(sxp->st.st_mode));
+
+	return 0;
+}
+
+/* === Send functions === */
+
+/* The general strategy with the tag_type <-> character mapping is that
+ * lowercase implies that no qualifier follows, where uppercase does.
+ * A similar idiom for the ACL type (access or default) itself, but
+ * lowercase in this instance means there's no ACL following, so the
+ * ACL is a repeat, so the receiver should reuse the last of the same
+ * type ACL. */
+
+/* Send the ida list over the file descriptor. */
+static void send_ida_entries(int f, const ida_entries *idal, char tag_char)
+{
+	id_access *ida;
+	size_t count = idal->count;
+	for (ida = idal->idas; count--; ida++) {
+		write_byte(f, tag_char);
+		write_byte(f, ida->access);
+		write_int(f, ida->id);
+		/* FIXME: sorta wasteful: we should maybe buffer as
+		 * many ids as max(ACL_USER + ACL_GROUP) objects to
+		 * keep from making so many calls. */
+		if (tag_char == 'U')
+			add_uid(ida->id);
+		else
+			add_gid(ida->id);
+	}
+}
+
+/* Send an rsync ACL over the file descriptor. */
+static void send_rsync_acl(int f, const rsync_acl *racl)
+{
+	size_t count = count_racl_entries(racl);
+	write_int(f, count);
+	if (racl->user_obj != NO_ENTRY) {
+		write_byte(f, 'u');
+		write_byte(f, racl->user_obj);
+	}
+	send_ida_entries(f, &racl->users, 'U');
+	if (racl->group_obj != NO_ENTRY) {
+		write_byte(f, 'g');
+		write_byte(f, racl->group_obj);
+	}
+	send_ida_entries(f, &racl->groups, 'G');
+	if (racl->mask != NO_ENTRY) {
+		write_byte(f, 'm');
+		write_byte(f, racl->mask);
+	}
+	if (racl->other != NO_ENTRY) {
+		write_byte(f, 'o');
+		write_byte(f, racl->other);
+	}
+}
+
+/* Send the ACL from the statx structure down the indicated file descriptor.
+ * This also frees the ACL data. */
+void send_acl(statx *sxp, int f)
+{
+	SMB_ACL_TYPE_T type;
+	rsync_acl *racl, *new_racl;
+	item_list *racl_list;
+	int ndx;
+
+	if (S_ISLNK(sxp->st.st_mode))
+		return;
+
+	type = SMB_ACL_TYPE_ACCESS;
+	racl = sxp->acc_acl;
+	racl_list = &access_acl_list;
+	do {
+		if (!racl) {
+			racl = new(rsync_acl);
+			if (!racl)
+				out_of_memory("send_acl");
+			*racl = empty_rsync_acl;
+			if (type == SMB_ACL_TYPE_ACCESS) {
+				rsync_acl_fake_perms(racl, sxp->st.st_mode);
+				sxp->acc_acl = racl;
+			} else
+				sxp->def_acl = racl;
+		}
+
+		/* Avoid sending values that can be inferred from other data,
+		 * but only when preserve_acls == 1 (it is 2 when we must be
+		 * backward compatible with older acls.diff versions). */
+		if (type == SMB_ACL_TYPE_ACCESS && preserve_acls == 1)
+			rsync_acl_strip_perms(racl);
+		if ((ndx = find_matching_rsync_acl(type, racl_list, racl)) != -1) {
+			write_byte(f, type == SMB_ACL_TYPE_ACCESS ? 'a' : 'd');
+			write_int(f, ndx);
+		} else {
+			new_racl = EXPAND_ITEM_LIST(racl_list, rsync_acl, 1000);
+			write_byte(f, type == SMB_ACL_TYPE_ACCESS ? 'A' : 'D');
+			send_rsync_acl(f, racl);
+			*new_racl = *racl;
+			*racl = empty_rsync_acl;
+		}
+		racl = sxp->def_acl;
+		racl_list = &default_acl_list;
+	} while (BUMP_TYPE(type) && S_ISDIR(sxp->st.st_mode));
+
+	free_acl(sxp);
+}
+
+/* === Receive functions === */
+
+static void receive_rsync_acl(rsync_acl *racl, int f, SMB_ACL_TYPE_T type)
+{
+	static item_list temp_ida_list = EMPTY_ITEM_LIST;
+	SMB_ACL_TAG_T tag_type = 0, prior_list_type = 0;
+	uchar computed_mask_bits = 0;
+	id_access *ida;
+	size_t count;
+
+	if (!(count = read_int(f)))
+		return;
+
+	while (count--) {
+		char tag = read_byte(f);
+		uchar access = read_byte(f);
+		if (access & ~ (4 | 2 | 1)) {
+			rprintf(FERROR, "receive_rsync_acl: bogus permset %o\n",
+				access);
+			exit_cleanup(RERR_STREAMIO);
+		}
+		switch (tag) {
+		case 'u':
+			if (racl->user_obj != NO_ENTRY) {
+				rprintf(FERROR, "receive_rsync_acl: error: duplicate USER_OBJ entry\n");
+				exit_cleanup(RERR_STREAMIO);
+			}
+			racl->user_obj = access;
+			continue;
+		case 'U':
+			tag_type = SMB_ACL_USER;
+			break;
+		case 'g':
+			if (racl->group_obj != NO_ENTRY) {
+				rprintf(FERROR, "receive_rsync_acl: error: duplicate GROUP_OBJ entry\n");
+				exit_cleanup(RERR_STREAMIO);
+			}
+			racl->group_obj = access;
+			continue;
+		case 'G':
+			tag_type = SMB_ACL_GROUP;
+			break;
+		case 'm':
+			if (racl->mask != NO_ENTRY) {
+				rprintf(FERROR, "receive_rsync_acl: error: duplicate MASK entry\n");
+				exit_cleanup(RERR_STREAMIO);
+			}
+			racl->mask = access;
+			continue;
+		case 'o':
+			if (racl->other != NO_ENTRY) {
+				rprintf(FERROR, "receive_rsync_acl: error: duplicate OTHER entry\n");
+				exit_cleanup(RERR_STREAMIO);
+			}
+			racl->other = access;
+			continue;
+		default:
+			rprintf(FERROR, "receive_rsync_acl: unknown tag %c\n",
+				tag);
+			exit_cleanup(RERR_STREAMIO);
+		}
+		if (tag_type != prior_list_type) {
+			if (prior_list_type)
+				save_idas(&temp_ida_list, racl, prior_list_type);
+			prior_list_type = tag_type;
+		}
+		ida = EXPAND_ITEM_LIST(&temp_ida_list, id_access, -10);
+		ida->access = access;
+		ida->id = read_int(f);
+		computed_mask_bits |= access;
+	}
+	if (prior_list_type)
+		save_idas(&temp_ida_list, racl, prior_list_type);
+
+	if (type == SMB_ACL_TYPE_DEFAULT) {
+		/* Ensure that these are never unset. */
+		if (racl->user_obj == NO_ENTRY)
+			racl->user_obj = 7;
+		if (racl->group_obj == NO_ENTRY)
+			racl->group_obj = 0;
+		if (racl->other == NO_ENTRY)
+			racl->other = 0;
+	}
+
+	if (!racl->users.count && !racl->groups.count) {
+		/* If we received a superfluous mask, throw it away. */
+		if (racl->mask != NO_ENTRY) {
+			/* Mask off the group perms with it first. */
+			racl->group_obj &= racl->mask | NO_ENTRY;
+			racl->mask = NO_ENTRY;
+		}
+	} else if (racl->mask == NO_ENTRY) /* Must be non-empty with lists. */
+		racl->mask = computed_mask_bits | (racl->group_obj & 7);
+}
+
+/* Receive the ACL info the sender has included for this file-list entry. */
+void receive_acl(struct file_struct *file, int f)
+{
+	SMB_ACL_TYPE_T type;
+	item_list *racl_list;
+	char *ndx_ptr;
+
+	if (S_ISLNK(file->mode))
+		return;
+
+	type = SMB_ACL_TYPE_ACCESS;
+	racl_list = &access_acl_list;
+	ndx_ptr = (char*)file + file_struct_len;
+	do {
+		char tag = read_byte(f);
+		int ndx;
+
+		if (tag == 'A' || tag == 'a') {
+			if (type != SMB_ACL_TYPE_ACCESS) {
+				rprintf(FERROR, "receive_acl %s: duplicate access ACL\n",
+					f_name(file, NULL));
+				exit_cleanup(RERR_STREAMIO);
+			}
+		} else if (tag == 'D' || tag == 'd') {
+			if (type == SMB_ACL_TYPE_ACCESS) {
+				rprintf(FERROR, "receive_acl %s: expecting access ACL; got default\n",
+					f_name(file, NULL));
+				exit_cleanup(RERR_STREAMIO);
+			}
+		} else {
+			rprintf(FERROR, "receive_acl %s: unknown ACL type tag: %c\n",
+				f_name(file, NULL), tag);
+			exit_cleanup(RERR_STREAMIO);
+		}
+		if (tag == 'A' || tag == 'D') {
+			acl_duo *duo_item;
+			ndx = racl_list->count;
+			duo_item = EXPAND_ITEM_LIST(racl_list, acl_duo, 1000);
+			duo_item->racl = empty_rsync_acl;
+			receive_rsync_acl(&duo_item->racl, f, type);
+			duo_item->sacl = NULL;
+		} else {
+			ndx = read_int(f);
+			if (ndx < 0 || (size_t)ndx >= racl_list->count) {
+				rprintf(FERROR, "receive_acl %s: %s ACL index %d out of range\n",
+					f_name(file, NULL), str_acl_type(type), ndx);
+				exit_cleanup(RERR_STREAMIO);
+			}
+		}
+		SIVAL(ndx_ptr, 0, ndx);
+		racl_list = &default_acl_list;
+		ndx_ptr += 4;
+	} while (BUMP_TYPE(type) && S_ISDIR(file->mode));
+}
+
+/* Turn the ACL data in statx into cached ACL data, setting the index
+ * values in the file struct. */
+void cache_acl(struct file_struct *file, statx *sxp)
+{
+	SMB_ACL_TYPE_T type;
+	rsync_acl *racl;
+	item_list *racl_list;
+	char *ndx_ptr;
+	int ndx;
+
+	if (S_ISLNK(file->mode))
+		return;
+
+	type = SMB_ACL_TYPE_ACCESS;
+	racl = sxp->acc_acl;
+	racl_list = &access_acl_list;
+	ndx_ptr = (char*)file + file_struct_len;
+	do {
+		if (!racl)
+			ndx = -1;
+		else if ((ndx = find_matching_rsync_acl(type, racl_list, racl)) == -1) {
+			acl_duo *new_duo;
+			ndx = racl_list->count;
+			new_duo = EXPAND_ITEM_LIST(racl_list, acl_duo, 1000);
+			new_duo->racl = *racl;
+			new_duo->sacl = NULL;
+			*racl = empty_rsync_acl;
+		}
+		SIVAL(ndx_ptr, 0, ndx);
+		racl = sxp->def_acl;
+		racl_list = &default_acl_list;
+		ndx_ptr += 4;
+	} while (BUMP_TYPE(type) && S_ISDIR(sxp->st.st_mode));
+
+	free_acl(sxp);
+}
+
+static mode_t change_sacl_perms(SMB_ACL_T sacl, rsync_acl *racl, mode_t old_mode, mode_t mode)
+{
+	SMB_ACL_ENTRY_T entry;
+	const char *errfun;
+	int rc;
+
+	if (S_ISDIR(mode)) {
+		/* If the sticky bit is going on, it's not safe to allow all
+		 * the new ACL to go into effect before it gets set. */
+#ifdef SMB_ACL_LOSES_SPECIAL_MODE_BITS
+		if (mode & S_ISVTX)
+			mode &= ~0077;
+#else
+		if (mode & S_ISVTX && !(old_mode & S_ISVTX))
+			mode &= ~0077;
+	} else {
+		/* If setuid or setgid is going off, it's not safe to allow all
+		 * the new ACL to go into effect before they get cleared. */
+		if ((old_mode & S_ISUID && !(mode & S_ISUID))
+		 || (old_mode & S_ISGID && !(mode & S_ISGID)))
+			mode &= ~0077;
+#endif
+	}
+
+	errfun = "sys_acl_get_entry";
+	for (rc = sys_acl_get_entry(sacl, SMB_ACL_FIRST_ENTRY, &entry);
+	     rc == 1;
+	     rc = sys_acl_get_entry(sacl, SMB_ACL_NEXT_ENTRY, &entry)) {
+		SMB_ACL_TAG_T tag_type;
+		if ((rc = sys_acl_get_tag_type(entry, &tag_type))) {
+			errfun = "sys_acl_get_tag_type";
+			break;
+		}
+		switch (tag_type) {
+		case SMB_ACL_USER_OBJ:
+			COE2( store_access_in_entry,((mode >> 6) & 7, entry) );
+			break;
+		case SMB_ACL_GROUP_OBJ:
+			/* group is only empty when identical to group perms. */
+			if (racl->group_obj != NO_ENTRY)
+				break;
+			COE2( store_access_in_entry,((mode >> 3) & 7, entry) );
+			break;
+		case SMB_ACL_MASK:
+#ifndef ACLS_NEED_MASK
+			/* mask is only empty when we don't need it. */
+			if (racl->mask == NO_ENTRY)
+				break;
+#endif
+			COE2( store_access_in_entry,((mode >> 3) & 7, entry) );
+			break;
+		case SMB_ACL_OTHER:
+			COE2( store_access_in_entry,(mode & 7, entry) );
+			break;
+		}
+	}
+	if (rc) {
+	  error_exit:
+		if (errfun) {
+			rsyserr(FERROR, errno, "change_sacl_perms: %s()",
+				errfun);
+		}
+		return (mode_t)~0;
+	}
+
+#ifdef SMB_ACL_LOSES_SPECIAL_MODE_BITS
+	/* Ensure that chmod() will be called to restore any lost setid bits. */
+	if (old_mode & (S_ISUID | S_ISGID | S_ISVTX)
+	 && (old_mode & CHMOD_BITS) == (mode & CHMOD_BITS))
+		old_mode &= ~(S_ISUID | S_ISGID | S_ISVTX);
+#endif
+
+	/* Return the mode of the file on disk, as we will set them. */
+	return (old_mode & ~ACCESSPERMS) | (mode & ACCESSPERMS);
+}
+
+/* Set ACL on indicated filename.
+ *
+ * This sets extended access ACL entries and default ACL.  If convenient,
+ * it sets permission bits along with the access ACL and signals having
+ * done so by modifying sxp->st.st_mode.
+ *
+ * Returns 1 for unchanged, 0 for changed, -1 for failed.  Call this
+ * with fname set to NULL to just check if the ACL is unchanged. */
+int set_acl(const char *fname, const struct file_struct *file, statx *sxp)
+{
+	int unchanged = 1;
+	SMB_ACL_TYPE_T type;
+	char *ndx_ptr;
+
+	if (!dry_run && (read_only || list_only)) {
+		errno = EROFS;
+		return -1;
+	}
+
+	if (S_ISLNK(file->mode))
+		return 1;
+
+	type = SMB_ACL_TYPE_ACCESS;
+	ndx_ptr = (char*)file + file_struct_len;
+	do {
+		acl_duo *duo_item;
+		BOOL eq;
+		int32 ndx = IVAL(ndx_ptr, 0);
+
+		ndx_ptr += 4;
+
+		if (type == SMB_ACL_TYPE_ACCESS) {
+			if (ndx < 0 || (size_t)ndx >= access_acl_list.count)
+				continue;
+			duo_item = access_acl_list.items;
+			duo_item += ndx;
+			eq = sxp->acc_acl
+			    && rsync_acl_equal_enough(sxp->acc_acl, &duo_item->racl, file->mode);
+		} else {
+			if (ndx < 0 || (size_t)ndx >= default_acl_list.count)
+				continue;
+			duo_item = default_acl_list.items;
+			duo_item += ndx;
+			eq = sxp->def_acl
+			    && rsync_acl_equal(sxp->def_acl, &duo_item->racl);
+		}
+		if (eq)
+			continue;
+		if (!dry_run && fname) {
+			if (type == SMB_ACL_TYPE_DEFAULT
+			 && duo_item->racl.user_obj == NO_ENTRY) {
+				if (sys_acl_delete_def_file(fname) < 0) {
+					rsyserr(FERROR, errno, "set_acl: sys_acl_delete_def_file(%s)",
+						fname);
+					unchanged = -1;
+					continue;
+				}
+			} else {
+				mode_t cur_mode = sxp->st.st_mode;
+				if (!duo_item->sacl
+				 && !pack_smb_acl(&duo_item->sacl, &duo_item->racl)) {
+					unchanged = -1;
+					continue;
+				}
+				if (type == SMB_ACL_TYPE_ACCESS) {
+					cur_mode = change_sacl_perms(duo_item->sacl, &duo_item->racl,
+								     cur_mode, file->mode);
+					if (cur_mode == (mode_t)~0)
+						continue;
+				}
+				if (sys_acl_set_file(fname, type, duo_item->sacl) < 0) {
+					rsyserr(FERROR, errno, "set_acl: sys_acl_set_file(%s, %s)",
+						fname, str_acl_type(type));
+					unchanged = -1;
+					continue;
+				}
+				if (type == SMB_ACL_TYPE_ACCESS)
+					sxp->st.st_mode = cur_mode;
+			}
+		}
+		if (unchanged == 1)
+			unchanged = 0;
+	} while (BUMP_TYPE(type) && S_ISDIR(file->mode));
+
+	return unchanged;
+}
+
+/* === Enumeration functions for uid mapping === */
+
+/* Context -- one and only one.  Should be cycled through once on uid
+ * mapping and once on gid mapping. */
+static item_list *_enum_racl_lists[] = {
+	&access_acl_list, &default_acl_list, NULL
+};
+
+static item_list **enum_racl_list = &_enum_racl_lists[0];
+static int enum_ida_index = 0;
+static size_t enum_racl_index = 0;
+
+/* This returns the next tag_type id from the given ACL for the next entry,
+ * or it returns 0 if there are no more tag_type ids in the acl. */
+static id_t *next_ace_id(SMB_ACL_TAG_T tag_type, const rsync_acl *racl)
+{
+	const ida_entries *idal = tag_type == SMB_ACL_USER ? &racl->users : &racl->groups;
+	if (enum_ida_index < idal->count) {
+		id_access *ida = &idal->idas[enum_ida_index++];
+		return &ida->id;
+	}
+	enum_ida_index = 0;
+	return NULL;
+}
+
+static id_t *next_acl_id(SMB_ACL_TAG_T tag_type, const item_list *racl_list)
+{
+	for (; enum_racl_index < racl_list->count; enum_racl_index++) {
+		id_t *id;
+		acl_duo *duo_item = racl_list->items;
+		duo_item += enum_racl_index;
+		if ((id = next_ace_id(tag_type, &duo_item->racl)) != NULL)
+			return id;
+	}
+	enum_racl_index = 0;
+	return NULL;
+}
+
+static id_t *next_acl_list_id(SMB_ACL_TAG_T tag_type)
+{
+	for (; *enum_racl_list; enum_racl_list++) {
+		id_t *id = next_acl_id(tag_type, *enum_racl_list);
+		if (id)
+			return id;
+	}
+	enum_racl_list = &_enum_racl_lists[0];
+	return NULL;
+}
+
+id_t *next_acl_uid()
+{
+	return next_acl_list_id(SMB_ACL_USER);
+}
+
+id_t *next_acl_gid()
+{
+	return next_acl_list_id(SMB_ACL_GROUP);
+}
+
+/* This is used by dest_mode(). */
+int default_perms_for_dir(const char *dir)
+{
+	rsync_acl racl;
+	SMB_ACL_T sacl;
+	BOOL ok;
+	int perms;
+
+	if (dir == NULL)
+		dir = ".";
+	perms = ACCESSPERMS & ~orig_umask;
+	/* Read the directory's default ACL.  If it has none, this will successfully return an empty ACL. */
+	sacl = sys_acl_get_file(dir, SMB_ACL_TYPE_DEFAULT);
+	if (sacl == NULL) {
+		/* Couldn't get an ACL.  Darn. */
+		switch (errno) {
+		case ENOTSUP:
+			/* ACLs are disabled.  We could yell at the user to turn them on, but... */
+			break;
+		case ENOENT:
+			if (dry_run) {
+				/* We're doing a dry run, so the containing directory
+				 * wasn't actually created.  Don't worry about it. */
+				break;
+			}
+			/* Otherwise fall through. */
+		default:
+			rprintf(FERROR, "default_perms_for_dir: sys_acl_get_file(%s, %s): %s, falling back on umask\n",
+				dir, str_acl_type(SMB_ACL_TYPE_DEFAULT), strerror(errno));
+		}
+		return perms;
+	}
+
+	/* Convert it. */
+	racl = empty_rsync_acl;
+	ok = unpack_smb_acl(&racl, sacl);
+	sys_acl_free_acl(sacl);
+	if (!ok) {
+		rprintf(FERROR, "default_perms_for_dir: unpack_smb_acl failed, falling back on umask\n");
+		return perms;
+	}
+
+	/* Apply the permission-bit entries of the default ACL, if any. */
+	if (racl.user_obj != NO_ENTRY) {
+		perms = rsync_acl_get_perms(&racl);
+		if (verbose > 2)
+			rprintf(FINFO, "got ACL-based default perms %o for directory %s\n", perms, dir);
+	}
+
+	rsync_acl_free(&racl);
+	return perms;
+}
+
+#endif /* SUPPORT_ACLS */
--- old/backup.c
+++ new/backup.c
@@ -29,6 +29,7 @@ extern char *backup_suffix;
 extern char *backup_dir;
 
 extern int am_root;
+extern int preserve_acls;
 extern int preserve_devices;
 extern int preserve_specials;
 extern int preserve_links;
@@ -94,7 +95,8 @@ path
 ****************************************************************************/
 static int make_bak_dir(char *fullpath)
 {
-	STRUCT_STAT st;
+	statx sx;
+	struct file_struct *file;
 	char *rel = fullpath + backup_dir_len;
 	char *end = rel + strlen(rel);
 	char *p = end;
@@ -126,13 +128,24 @@ static int make_bak_dir(char *fullpath)
 		if (p >= rel) {
 			/* Try to transfer the directory settings of the
 			 * actual dir that the files are coming from. */
-			if (do_stat(rel, &st) < 0) {
+			if (do_stat(rel, &sx.st) < 0) {
 				rsyserr(FERROR, errno,
 					"make_bak_dir stat %s failed",
 					full_fname(rel));
 			} else {
-				do_lchown(fullpath, st.st_uid, st.st_gid);
-				do_chmod(fullpath, st.st_mode);
+#ifdef SUPPORT_ACLS
+				sx.acc_acl = sx.def_acl = NULL;
+#endif
+				if (!(file = make_file(rel, NULL, NULL, 0, NO_FILTERS)))
+					continue;
+#ifdef SUPPORT_ACLS
+				if (preserve_acls) {
+					get_acl(rel, &sx);
+					cache_acl(file, &sx);
+				}
+#endif
+				set_file_attrs(fullpath, file, NULL, 0);
+				free(file);
 			}
 		}
 		*p = '/';
@@ -170,15 +183,18 @@ static int robust_move(char *src, char *
  * We will move the file to be deleted into a parallel directory tree. */
 static int keep_backup(char *fname)
 {
-	STRUCT_STAT st;
+	statx sx;
 	struct file_struct *file;
 	char *buf;
 	int kept = 0;
 	int ret_code;
 
 	/* return if no file to keep */
-	if (do_lstat(fname, &st) < 0)
+	if (do_lstat(fname, &sx.st) < 0)
 		return 1;
+#ifdef SUPPORT_ACLS
+	sx.acc_acl = sx.def_acl = NULL;
+#endif
 
 	if (!(file = make_file(fname, NULL, NULL, 0, NO_FILTERS)))
 		return 1; /* the file could have disappeared */
@@ -186,6 +202,13 @@ static int keep_backup(char *fname)
 	if (!(buf = get_backup_name(fname)))
 		return 0;
 
+#ifdef SUPPORT_ACLS
+	if (preserve_acls) {
+		get_acl(fname, &sx);
+		cache_acl(file, &sx);
+	}
+#endif
+
 	/* Check to see if this is a device file, or link */
 	if ((am_root && preserve_devices && IS_DEVICE(file->mode))
 	 || (preserve_specials && IS_SPECIAL(file->mode))) {
@@ -254,7 +277,7 @@ static int keep_backup(char *fname)
 		if (robust_move(fname, buf) != 0) {
 			rsyserr(FERROR, errno, "keep_backup failed: %s -> \"%s\"",
 				full_fname(fname), buf);
-		} else if (st.st_nlink > 1) {
+		} else if (sx.st.st_nlink > 1) {
 			/* If someone has hard-linked the file into the backup
 			 * dir, rename() might return success but do nothing! */
 			robust_unlink(fname); /* Just in case... */
--- old/configure.in
+++ new/configure.in
@@ -515,6 +515,11 @@ if test x"$ac_cv_func_strcasecmp" = x"no
     AC_CHECK_LIB(resolv, strcasecmp)
 fi
 
+AC_CHECK_FUNCS(aclsort)
+if test x"$ac_cv_func_aclsort" = x"no"; then
+    AC_CHECK_LIB(sec, aclsort)
+fi
+
 dnl At the moment we don't test for a broken memcmp(), because all we
 dnl need to do is test for equality, not comparison, and it seems that
 dnl every platform has a memcmp that can do at least that.
@@ -779,6 +784,78 @@ AC_SUBST(OBJ_RESTORE)
 AC_SUBST(CC_SHOBJ_FLAG)
 AC_SUBST(BUILD_POPT)
 
+AC_CHECK_HEADERS(sys/acl.h acl/libacl.h)
+AC_CHECK_FUNCS(_acl __acl _facl __facl)
+#################################################
+# check for ACL support
+
+AC_MSG_CHECKING(whether to support ACLs)
+AC_ARG_ENABLE(acl-support,
+AC_HELP_STRING([--enable-acl-support], [Include ACL support (default=no)]),
+[ case "$enableval" in
+  yes)
+
+		case "$host_os" in
+		*sysv5*)
+			AC_MSG_RESULT(Using UnixWare ACLs)
+			AC_DEFINE(HAVE_UNIXWARE_ACLS, 1, [true if you have UnixWare ACLs])
+			;;
+		*solaris*|*cygwin*)
+			AC_MSG_RESULT(Using solaris ACLs)
+			AC_DEFINE(HAVE_SOLARIS_ACLS, 1, [true if you have solaris ACLs])
+			;;
+		*hpux*)
+			AC_MSG_RESULT(Using HPUX ACLs)
+			AC_DEFINE(HAVE_HPUX_ACLS, 1, [true if you have HPUX ACLs])
+			;;
+		*irix*)
+			AC_MSG_RESULT(Using IRIX ACLs)
+			AC_DEFINE(HAVE_IRIX_ACLS, 1, [true if you have IRIX ACLs])
+			;;
+		*aix*)
+			AC_MSG_RESULT(Using AIX ACLs)
+			AC_DEFINE(HAVE_AIX_ACLS, 1, [true if you have AIX ACLs])
+			;;
+		*osf*)
+			AC_MSG_RESULT(Using Tru64 ACLs)
+			AC_DEFINE(HAVE_TRU64_ACLS, 1, [true if you have Tru64 ACLs])
+			LIBS="$LIBS -lpacl"
+			;;
+		*)
+		    AC_MSG_RESULT(ACLs requested -- running tests)
+		    AC_CHECK_LIB(acl,acl_get_file)
+			AC_CACHE_CHECK([for ACL support],samba_cv_HAVE_POSIX_ACLS,[
+			AC_TRY_LINK([#include <sys/types.h>
+#include <sys/acl.h>],
+[ acl_t acl; int entry_id; acl_entry_t *entry_p; return acl_get_entry( acl, entry_id, entry_p);],
+samba_cv_HAVE_POSIX_ACLS=yes,samba_cv_HAVE_POSIX_ACLS=no)])
+			AC_MSG_CHECKING(ACL test results)
+			if test x"$samba_cv_HAVE_POSIX_ACLS" = x"yes"; then
+			    AC_MSG_RESULT(Using posix ACLs)
+			    AC_DEFINE(HAVE_POSIX_ACLS, 1, [true if you have posix ACLs])
+			    AC_CACHE_CHECK([for acl_get_perm_np],samba_cv_HAVE_ACL_GET_PERM_NP,[
+				AC_TRY_LINK([#include <sys/types.h>
+#include <sys/acl.h>],
+[ acl_permset_t permset_d; acl_perm_t perm; return acl_get_perm_np( permset_d, perm);],
+samba_cv_HAVE_ACL_GET_PERM_NP=yes,samba_cv_HAVE_ACL_GET_PERM_NP=no)])
+			    if test x"$samba_cv_HAVE_ACL_GET_PERM_NP" = x"yes"; then
+				AC_DEFINE(HAVE_ACL_GET_PERM_NP, 1, [true if you have acl_get_perm_np])
+			    fi
+			else
+			    AC_MSG_ERROR(Failed to find ACL support)
+			fi
+			;;
+		esac
+		;;
+  *)
+    AC_MSG_RESULT(no)
+	AC_DEFINE(HAVE_NO_ACLS, 1, [true if you don't have ACLs])
+    ;;
+  esac ],
+  AC_DEFINE(HAVE_NO_ACLS, 1, [true if you don't have ACLs])
+  AC_MSG_RESULT(no)
+)
+
 AC_CONFIG_FILES([Makefile lib/dummy zlib/dummy popt/dummy shconfig])
 AC_OUTPUT
 
--- old/flist.c
+++ new/flist.c
@@ -40,6 +40,7 @@ extern int filesfrom_fd;
 extern int one_file_system;
 extern int copy_dirlinks;
 extern int keep_dirlinks;
+extern int preserve_acls;
 extern int preserve_links;
 extern int preserve_hard_links;
 extern int preserve_devices;
@@ -133,6 +134,8 @@ static void list_file_entry(struct file_
 
 	permstring(permbuf, f->mode);
 
+	/* TODO: indicate '+' if the entry has an ACL. */
+
 #ifdef SUPPORT_LINKS
 	if (preserve_links && S_ISLNK(f->mode)) {
 		rprintf(FINFO, "%s %11.0f %s %s -> %s\n",
@@ -495,6 +498,9 @@ static struct file_struct *receive_file_
 	char thisname[MAXPATHLEN];
 	unsigned int l1 = 0, l2 = 0;
 	int alloc_len, basename_len, dirname_len, linkname_len, sum_len;
+#ifdef SUPPORT_ACLS
+	int xtra_len;
+#endif
 	OFF_T file_length;
 	char *basename, *dirname, *bp;
 	struct file_struct *file;
@@ -598,13 +604,27 @@ static struct file_struct *receive_file_
 
 	sum_len = always_checksum && S_ISREG(mode) ? MD4_SUM_LENGTH : 0;
 
+#ifdef SUPPORT_ACLS
+	/* We need one or two index int32s when we're preserving ACLs. */
+	if (preserve_acls)
+		xtra_len = (S_ISDIR(mode) ? 2 : 1) * 4;
+	else
+		xtra_len = 0;
+#endif
+
 	alloc_len = file_struct_len + dirname_len + basename_len
+#ifdef SUPPORT_ACLS
+		  + xtra_len
+#endif
 		  + linkname_len + sum_len;
 	bp = pool_alloc(flist->file_pool, alloc_len, "receive_file_entry");
 
 	file = (struct file_struct *)bp;
 	memset(bp, 0, file_struct_len);
 	bp += file_struct_len;
+#ifdef SUPPORT_ACLS
+	bp += xtra_len;
+#endif
 
 	file->modtime = modtime;
 	file->length = file_length;
@@ -699,6 +719,11 @@ static struct file_struct *receive_file_
 		read_buf(f, sum, checksum_len);
 	}
 
+#ifdef SUPPORT_ACLS
+	if (preserve_acls)
+		receive_acl(file, f);
+#endif
+
 	return file;
 }
 
@@ -949,6 +974,9 @@ static struct file_struct *send_file_nam
 					  unsigned short flags)
 {
 	struct file_struct *file;
+#ifdef SUPPORT_ACLS
+	statx sx;
+#endif
 
 	file = make_file(fname, flist, stp, flags,
 			 f == -2 ? SERVER_FILTERS : ALL_FILTERS);
@@ -958,6 +986,15 @@ static struct file_struct *send_file_nam
 	if (chmod_modes && !S_ISLNK(file->mode))
 		file->mode = tweak_mode(file->mode, chmod_modes);
 
+#ifdef SUPPORT_ACLS
+	if (preserve_acls) {
+		sx.st.st_mode = file->mode;
+		sx.acc_acl = sx.def_acl = NULL;
+		if (get_acl(fname, &sx) < 0)
+			return NULL;
+	}
+#endif
+
 	maybe_emit_filelist_progress(flist->count + flist_count_offset);
 
 	flist_expand(flist);
@@ -965,6 +1002,15 @@ static struct file_struct *send_file_nam
 	if (file->basename[0]) {
 		flist->files[flist->count++] = file;
 		send_file_entry(file, f);
+#ifdef SUPPORT_ACLS
+		if (preserve_acls)
+			send_acl(&sx, f);
+#endif
+	} else {
+#ifdef SUPPORT_ACLS
+		if (preserve_acls)
+			free_acl(&sx);
+#endif
 	}
 	return file;
 }
--- old/generator.c
+++ new/generator.c
@@ -35,6 +35,7 @@ extern int do_progress;
 extern int relative_paths;
 extern int implied_dirs;
 extern int keep_dirlinks;
+extern int preserve_acls;
 extern int preserve_links;
 extern int preserve_devices;
 extern int preserve_specials;
@@ -85,6 +86,7 @@ extern long block_size; /* "long" becaus
 extern int max_delete;
 extern int force_delete;
 extern int one_file_system;
+extern mode_t orig_umask;
 extern struct stats stats;
 extern dev_t filesystem_dev;
 extern char *backup_dir;
@@ -317,22 +319,27 @@ static void do_delete_pass(struct file_l
 		rprintf(FINFO, "                    \r");
 }
 
-int unchanged_attrs(struct file_struct *file, STRUCT_STAT *st)
+int unchanged_attrs(struct file_struct *file, statx *sxp)
 {
 	if (preserve_perms
-	 && (st->st_mode & CHMOD_BITS) != (file->mode & CHMOD_BITS))
+	 && (sxp->st.st_mode & CHMOD_BITS) != (file->mode & CHMOD_BITS))
 		return 0;
 
-	if (am_root && preserve_uid && st->st_uid != file->uid)
+	if (am_root && preserve_uid && sxp->st.st_uid != file->uid)
 		return 0;
 
-	if (preserve_gid && file->gid != GID_NONE && st->st_gid != file->gid)
+	if (preserve_gid && file->gid != GID_NONE && sxp->st.st_gid != file->gid)
+		return 0;
+
+#ifdef SUPPORT_ACLS
+	if (preserve_acls && set_acl(NULL, file, sxp) == 0)
 		return 0;
+#endif
 
 	return 1;
 }
 
-void itemize(struct file_struct *file, int ndx, int statret, STRUCT_STAT *st,
+void itemize(struct file_struct *file, int ndx, int statret, statx *sxp,
 	     int32 iflags, uchar fnamecmp_type, char *xname)
 {
 	if (statret >= 0) { /* A from-dest-dir statret can == 1! */
@@ -340,19 +347,23 @@ void itemize(struct file_struct *file, i
 		    : S_ISDIR(file->mode) ? !omit_dir_times
 		    : !S_ISLNK(file->mode);
 
-		if (S_ISREG(file->mode) && file->length != st->st_size)
+		if (S_ISREG(file->mode) && file->length != sxp->st.st_size)
 			iflags |= ITEM_REPORT_SIZE;
 		if ((iflags & (ITEM_TRANSFER|ITEM_LOCAL_CHANGE) && !keep_time
 		     && (!(iflags & ITEM_XNAME_FOLLOWS) || *xname))
-		    || (keep_time && cmp_time(file->modtime, st->st_mtime) != 0))
+		    || (keep_time && cmp_time(file->modtime, sxp->st.st_mtime) != 0))
 			iflags |= ITEM_REPORT_TIME;
-		if ((file->mode & CHMOD_BITS) != (st->st_mode & CHMOD_BITS))
+		if ((file->mode & CHMOD_BITS) != (sxp->st.st_mode & CHMOD_BITS))
 			iflags |= ITEM_REPORT_PERMS;
-		if (preserve_uid && am_root && file->uid != st->st_uid)
+		if (preserve_uid && am_root && file->uid != sxp->st.st_uid)
 			iflags |= ITEM_REPORT_OWNER;
 		if (preserve_gid && file->gid != GID_NONE
-		    && st->st_gid != file->gid)
+		    && sxp->st.st_gid != file->gid)
 			iflags |= ITEM_REPORT_GROUP;
+#ifdef SUPPORT_ACLS
+		if (preserve_acls && set_acl(NULL, file, sxp) == 0)
+			iflags |= ITEM_REPORT_ACL;
+#endif
 	} else
 		iflags |= ITEM_IS_NEW;
 
@@ -605,7 +616,7 @@ void check_for_finished_hlinks(int itemi
  * handling the file, -1 if no dest-linking occurred, or a non-negative
  * value if we found an alternate basis file. */
 static int try_dests_reg(struct file_struct *file, char *fname, int ndx,
-			 char *cmpbuf, STRUCT_STAT *stp, int itemizing,
+			 char *cmpbuf, statx *sxp, int itemizing,
 			 int maybe_ATTRS_REPORT, enum logcode code)
 {
 	int best_match = -1;
@@ -614,7 +625,7 @@ static int try_dests_reg(struct file_str
 
 	do {
 		pathjoin(cmpbuf, MAXPATHLEN, basis_dir[j], fname);
-		if (link_stat(cmpbuf, stp, 0) < 0 || !S_ISREG(stp->st_mode))
+		if (link_stat(cmpbuf, &sxp->st, 0) < 0 || !S_ISREG(sxp->st.st_mode))
 			continue;
 		switch (match_level) {
 		case 0:
@@ -622,16 +633,20 @@ static int try_dests_reg(struct file_str
 			match_level = 1;
 			/* FALL THROUGH */
 		case 1:
-			if (!unchanged_file(cmpbuf, file, stp))
+			if (!unchanged_file(cmpbuf, file, &sxp->st))
 				continue;
 			best_match = j;
 			match_level = 2;
 			/* FALL THROUGH */
 		case 2:
-			if (!unchanged_attrs(file, stp))
+#ifdef SUPPORT_ACLS
+			if (preserve_acls)
+				get_acl(cmpbuf, sxp);
+#endif
+			if (!unchanged_attrs(file, sxp))
 				continue;
 			if (always_checksum && preserve_times
-			 && cmp_time(stp->st_mtime, file->modtime))
+			 && cmp_time(sxp->st.st_mtime, file->modtime))
 				continue;
 			best_match = j;
 			match_level = 3;
@@ -646,14 +661,14 @@ static int try_dests_reg(struct file_str
 	if (j != best_match) {
 		j = best_match;
 		pathjoin(cmpbuf, MAXPATHLEN, basis_dir[j], fname);
-		if (link_stat(cmpbuf, stp, 0) < 0)
+		if (link_stat(cmpbuf, &sxp->st, 0) < 0)
 			return -1;
 	}
 
 	if (match_level == 3 && !copy_dest) {
 #ifdef SUPPORT_HARD_LINKS
 		if (link_dest) {
-			if (hard_link_one(file, ndx, fname, 0, stp,
+			if (hard_link_one(file, ndx, fname, 0, sxp,
 					  cmpbuf, 1,
 					  itemizing && verbose > 1,
 					  code) < 0)
@@ -665,8 +680,13 @@ static int try_dests_reg(struct file_str
 			}
 		} else
 #endif
-		if (itemizing)
-			itemize(file, ndx, 0, stp, 0, 0, NULL);
+		if (itemizing) {
+#ifdef SUPPORT_ACLS
+			if (preserve_acls && !ACL_READY(*sxp))
+				get_acl(fname, sxp);
+#endif
+			itemize(file, ndx, 0, sxp, 0, 0, NULL);
+		}
 		if (verbose > 1 && maybe_ATTRS_REPORT) {
 			rprintf(FCLIENT, "%s is uptodate\n", fname);
 		}
@@ -682,8 +702,13 @@ static int try_dests_reg(struct file_str
 			}
 			return -1;
 		}
-		if (itemizing)
-			itemize(file, ndx, 0, stp, ITEM_LOCAL_CHANGE, 0, NULL);
+		if (itemizing) {
+#ifdef SUPPORT_ACLS
+			if (preserve_acls && !ACL_READY(*sxp))
+				get_acl(fname, sxp);
+#endif
+			itemize(file, ndx, 0, sxp, ITEM_LOCAL_CHANGE, 0, NULL);
+		}
 		set_file_attrs(fname, file, NULL, 0);
 		if (maybe_ATTRS_REPORT
 		 && ((!itemizing && verbose && match_level == 2)
@@ -707,13 +732,18 @@ static int try_dests_non(struct file_str
 			 enum logcode code)
 {
 	char fnamebuf[MAXPATHLEN];
-	STRUCT_STAT st;
+	statx sx;
 	int i = 0;
 
 	do {
 		pathjoin(fnamebuf, MAXPATHLEN, basis_dir[i], fname);
-		if (link_stat(fnamebuf, &st, 0) < 0 || S_ISDIR(st.st_mode)
-		 || !unchanged_attrs(file, &st))
+		if (link_stat(fnamebuf, &sx.st, 0) < 0 || S_ISDIR(sx.st.st_mode))
+			continue;
+#ifdef SUPPORT_ACLS
+		if (preserve_acls)
+			get_acl(fnamebuf, &sx);
+#endif
+		if (!unchanged_attrs(file, &sx))
 			continue;
 		if (S_ISLNK(file->mode)) {
 #ifdef SUPPORT_LINKS
@@ -726,10 +756,10 @@ static int try_dests_non(struct file_str
 #endif
 				continue;
 		} else if (IS_SPECIAL(file->mode)) {
-			if (!IS_SPECIAL(st.st_mode) || st.st_rdev != file->u.rdev)
+			if (!IS_SPECIAL(sx.st.st_mode) || sx.st.st_rdev != file->u.rdev)
 				continue;
 		} else if (IS_DEVICE(file->mode)) {
-			if (!IS_DEVICE(st.st_mode) || st.st_rdev != file->u.rdev)
+			if (!IS_DEVICE(sx.st.st_mode) || sx.st.st_rdev != file->u.rdev)
 				continue;
 		} else {
 			rprintf(FERROR,
@@ -760,7 +790,15 @@ static int try_dests_non(struct file_str
 			int changes = compare_dest ? 0 : ITEM_LOCAL_CHANGE
 				    + (link_dest ? ITEM_XNAME_FOLLOWS : 0);
 			char *lp = link_dest ? "" : NULL;
-			itemize(file, ndx, 0, &st, changes, 0, lp);
+#ifdef SUPPORT_ACLS
+			if (preserve_acls)
+				get_acl(fname, &sx);
+#endif
+			itemize(file, ndx, 0, &sx, changes, 0, lp);
+#ifdef SUPPORT_ACLS
+			if (preserve_acls)
+				free_acl(&sx);
+#endif
 		}
 		if (verbose > 1 && maybe_ATTRS_REPORT) {
 			rprintf(FCLIENT, "%s is uptodate\n", fname);
@@ -772,6 +810,7 @@ static int try_dests_non(struct file_str
 }
 
 static int phase = 0;
+static int dflt_perms;
 
 /* Acts on the_file_list->file's ndx'th item, whose name is fname.  If a dir,
  * make sure it exists, and has the right permissions/timestamp info.  For
@@ -793,7 +832,8 @@ static void recv_generator(char *fname, 
 	static int need_fuzzy_dirlist = 0;
 	struct file_struct *fuzzy_file = NULL;
 	int fd = -1, f_copy = -1;
-	STRUCT_STAT st, real_st, partial_st;
+	statx sx, real_sx;
+	STRUCT_STAT partial_st;
 	struct file_struct *back_file = NULL;
 	int statret, real_ret, stat_errno;
 	char *fnamecmp, *partialptr, *backupptr = NULL;
@@ -849,6 +889,9 @@ static void recv_generator(char *fname, 
 		} else if (!dry_run)
 			return;
 	}
+#ifdef SUPPORT_ACLS
+	sx.acc_acl = sx.def_acl = NULL;
+#endif
 	if (dry_run > 1) {
 		statret = -1;
 		stat_errno = ENOENT;
@@ -856,7 +899,7 @@ static void recv_generator(char *fname, 
 		char *dn = file->dirname ? file->dirname : ".";
 		if (parent_dirname != dn && strcmp(parent_dirname, dn) != 0) {
 			if (relative_paths && !implied_dirs
-			 && do_stat(dn, &st) < 0
+			 && do_stat(dn, &sx.st) < 0
 			 && create_directory_path(fname) < 0) {
 				rsyserr(FERROR, errno,
 					"recv_generator: mkdir %s failed",
@@ -868,6 +911,10 @@ static void recv_generator(char *fname, 
 			}
 			if (fuzzy_basis)
 				need_fuzzy_dirlist = 1;
+#ifdef SUPPORT_ACLS
+			if (!preserve_perms)
+				dflt_perms = default_perms_for_dir(dn);
+#endif
 		}
 		parent_dirname = dn;
 
@@ -876,7 +923,7 @@ static void recv_generator(char *fname, 
 			need_fuzzy_dirlist = 0;
 		}
 
-		statret = link_stat(fname, &st,
+		statret = link_stat(fname, &sx.st,
 				    keep_dirlinks && S_ISDIR(file->mode));
 		stat_errno = errno;
 	}
@@ -894,8 +941,9 @@ static void recv_generator(char *fname, 
 	 * mode based on the local permissions and some heuristics. */
 	if (!preserve_perms) {
 		int exists = statret == 0
-			  && S_ISDIR(st.st_mode) == S_ISDIR(file->mode);
-		file->mode = dest_mode(file->mode, st.st_mode, exists);
+			  && S_ISDIR(sx.st.st_mode) == S_ISDIR(file->mode);
+		file->mode = dest_mode(file->mode, sx.st.st_mode, dflt_perms,
+				       exists);
 	}
 
 	if (S_ISDIR(file->mode)) {
@@ -904,8 +952,8 @@ static void recv_generator(char *fname, 
 		 * file of that name and it is *not* a directory, then
 		 * we need to delete it.  If it doesn't exist, then
 		 * (perhaps recursively) create it. */
-		if (statret == 0 && !S_ISDIR(st.st_mode)) {
-			if (delete_item(fname, st.st_mode, del_opts) < 0)
+		if (statret == 0 && !S_ISDIR(sx.st.st_mode)) {
+			if (delete_item(fname, sx.st.st_mode, del_opts) < 0)
 				return;
 			statret = -1;
 		}
@@ -920,7 +968,11 @@ static void recv_generator(char *fname, 
 					sr = -1;
 				new_root_dir = 0;
 			}
-			itemize(file, ndx, sr, &st,
+#ifdef SUPPORT_ACLS
+			if (preserve_acls && sr == 0)
+				get_acl(fname, &sx);
+#endif
+			itemize(file, ndx, sr, &sx,
 				sr ? ITEM_LOCAL_CHANGE : 0, 0, NULL);
 		}
 		if (statret != 0 && do_mkdir(fname,file->mode) < 0 && errno != EEXIST) {
@@ -940,19 +992,19 @@ static void recv_generator(char *fname, 
 				return;
 			}
 		}
-		if (set_file_attrs(fname, file, statret ? NULL : &st, 0)
+		if (set_file_attrs(fname, file, statret ? NULL : &sx, 0)
 		    && verbose && code != FNONE && f_out != -1)
 			rprintf(code, "%s/\n", fname);
 		if (delete_during && f_out != -1 && !phase && dry_run < 2
 		    && (file->flags & FLAG_DEL_HERE))
-			delete_in_dir(the_file_list, fname, file, &st);
-		return;
+			delete_in_dir(the_file_list, fname, file, &sx.st);
+		goto cleanup;
 	}
 
 	if (preserve_hard_links && file->link_u.links
-	    && hard_link_check(file, ndx, fname, statret, &st,
+	    && hard_link_check(file, ndx, fname, statret, &sx,
 			       itemizing, code, HL_CHECK_MASTER))
-		return;
+		goto cleanup;
 
 	if (preserve_links && S_ISLNK(file->mode)) {
 #ifdef SUPPORT_LINKS
@@ -970,7 +1022,7 @@ static void recv_generator(char *fname, 
 			char lnk[MAXPATHLEN];
 			int len;
 
-			if (!S_ISDIR(st.st_mode)
+			if (!S_ISDIR(sx.st.st_mode)
 			    && (len = readlink(fname, lnk, MAXPATHLEN-1)) > 0) {
 				lnk[len] = 0;
 				/* A link already pointing to the
@@ -978,10 +1030,10 @@ static void recv_generator(char *fname, 
 				 * required. */
 				if (strcmp(lnk, file->u.link) == 0) {
 					if (itemizing) {
-						itemize(file, ndx, 0, &st, 0,
+						itemize(file, ndx, 0, &sx, 0,
 							0, NULL);
 					}
-					set_file_attrs(fname, file, &st,
+					set_file_attrs(fname, file, &sx,
 						       maybe_ATTRS_REPORT);
 					if (preserve_hard_links
 					    && file->link_u.links) {
@@ -996,9 +1048,9 @@ static void recv_generator(char *fname, 
 			}
 			/* Not the right symlink (or not a symlink), so
 			 * delete it. */
-			if (delete_item(fname, st.st_mode, del_opts) < 0)
+			if (delete_item(fname, sx.st.st_mode, del_opts) < 0)
 				return;
-			if (!S_ISLNK(st.st_mode))
+			if (!S_ISLNK(sx.st.st_mode))
 				statret = -1;
 		} else if (basis_dir[0] != NULL) {
 			if (try_dests_non(file, fname, ndx, itemizing,
@@ -1015,7 +1067,7 @@ static void recv_generator(char *fname, 
 			}
 		}
 		if (preserve_hard_links && file->link_u.links
-		    && hard_link_check(file, ndx, fname, -1, &st,
+		    && hard_link_check(file, ndx, fname, -1, &sx,
 				       itemizing, code, HL_SKIP))
 			return;
 		if (do_symlink(file->u.link,fname) != 0) {
@@ -1024,7 +1076,7 @@ static void recv_generator(char *fname, 
 		} else {
 			set_file_attrs(fname, file, NULL, 0);
 			if (itemizing) {
-				itemize(file, ndx, statret, &st,
+				itemize(file, ndx, statret, &sx,
 					ITEM_LOCAL_CHANGE, 0, NULL);
 			}
 			if (code != FNONE && verbose) {
@@ -1059,18 +1111,22 @@ static void recv_generator(char *fname, 
 				code = FNONE;
 			}
 		}
+#ifdef SUPPORT_ACLS
+		if (preserve_acls && statret == 0)
+			get_acl(fname, &sx);
+#endif
 		if (statret != 0
-		 || (st.st_mode & ~CHMOD_BITS) != (file->mode & ~CHMOD_BITS)
-		 || st.st_rdev != file->u.rdev) {
+		 || (sx.st.st_mode & ~CHMOD_BITS) != (file->mode & ~CHMOD_BITS)
+		 || sx.st.st_rdev != file->u.rdev) {
 			if (statret == 0
-			 && delete_item(fname, st.st_mode, del_opts) < 0)
-				return;
+			 && delete_item(fname, sx.st.st_mode, del_opts) < 0)
+				goto cleanup;
 			if (preserve_hard_links && file->link_u.links
-			    && hard_link_check(file, ndx, fname, -1, &st,
+			    && hard_link_check(file, ndx, fname, -1, &sx,
 					       itemizing, code, HL_SKIP))
-				return;
-			if ((IS_DEVICE(file->mode) && !IS_DEVICE(st.st_mode))
-			 || (IS_SPECIAL(file->mode) && !IS_SPECIAL(st.st_mode)))
+				goto cleanup;
+			if ((IS_DEVICE(file->mode) && !IS_DEVICE(sx.st.st_mode))
+			 || (IS_SPECIAL(file->mode) && !IS_SPECIAL(sx.st.st_mode)))
 				statret = -1;
 			if (verbose > 2) {
 				rprintf(FINFO,"mknod(%s,0%o,0x%x)\n",
@@ -1083,7 +1139,7 @@ static void recv_generator(char *fname, 
 			} else {
 				set_file_attrs(fname, file, NULL, 0);
 				if (itemizing) {
-					itemize(file, ndx, statret, &st,
+					itemize(file, ndx, statret, &sx,
 						ITEM_LOCAL_CHANGE, 0, NULL);
 				}
 				if (code != FNONE && verbose)
@@ -1097,14 +1153,14 @@ static void recv_generator(char *fname, 
 			}
 		} else {
 			if (itemizing)
-				itemize(file, ndx, statret, &st, 0, 0, NULL);
-			set_file_attrs(fname, file, &st, maybe_ATTRS_REPORT);
+				itemize(file, ndx, statret, &sx, 0, 0, NULL);
+			set_file_attrs(fname, file, &sx, maybe_ATTRS_REPORT);
 			if (preserve_hard_links && file->link_u.links)
 				hard_link_cluster(file, ndx, itemizing, code);
 			if (remove_source_files == 1)
 				goto return_with_success;
 		}
-		return;
+		goto cleanup;
 	}
 
 	if (!S_ISREG(file->mode)) {
@@ -1138,7 +1194,7 @@ static void recv_generator(char *fname, 
 	}
 
 	if (update_only && statret == 0
-	    && cmp_time(st.st_mtime, file->modtime) > 0) {
+	    && cmp_time(sx.st.st_mtime, file->modtime) > 0) {
 		if (verbose > 1)
 			rprintf(FINFO, "%s is newer\n", fname);
 		return;
@@ -1147,20 +1203,20 @@ static void recv_generator(char *fname, 
 	fnamecmp = fname;
 	fnamecmp_type = FNAMECMP_FNAME;
 
-	if (statret == 0 && !S_ISREG(st.st_mode)) {
-		if (delete_item(fname, st.st_mode, del_opts) != 0)
+	if (statret == 0 && !S_ISREG(sx.st.st_mode)) {
+		if (delete_item(fname, sx.st.st_mode, del_opts) != 0)
 			return;
 		statret = -1;
 		stat_errno = ENOENT;
 	}
 
 	if (statret != 0 && basis_dir[0] != NULL) {
-		int j = try_dests_reg(file, fname, ndx, fnamecmpbuf, &st,
+		int j = try_dests_reg(file, fname, ndx, fnamecmpbuf, &sx,
 				      itemizing, maybe_ATTRS_REPORT, code);
 		if (j == -2) {
 			if (remove_source_files == 1)
 				goto return_with_success;
-			return;
+			goto cleanup;
 		}
 		if (j >= 0) {
 			fnamecmp = fnamecmpbuf;
@@ -1170,7 +1226,7 @@ static void recv_generator(char *fname, 
 	}
 
 	real_ret = statret;
-	real_st = st;
+	real_sx = sx;
 
 	if (partial_dir && (partialptr = partial_dir_fname(fname)) != NULL
 	    && link_stat(partialptr, &partial_st, 0) == 0
@@ -1189,7 +1245,7 @@ static void recv_generator(char *fname, 
 				rprintf(FINFO, "fuzzy basis selected for %s: %s\n",
 					fname, fnamecmpbuf);
 			}
-			st.st_size = fuzzy_file->length;
+			sx.st.st_size = fuzzy_file->length;
 			statret = 0;
 			fnamecmp = fnamecmpbuf;
 			fnamecmp_type = FNAMECMP_FUZZY;
@@ -1198,7 +1254,7 @@ static void recv_generator(char *fname, 
 
 	if (statret != 0) {
 		if (preserve_hard_links && file->link_u.links
-		    && hard_link_check(file, ndx, fname, statret, &st,
+		    && hard_link_check(file, ndx, fname, statret, &sx,
 				       itemizing, code, HL_SKIP))
 			return;
 		if (stat_errno == ENOENT)
@@ -1208,39 +1264,52 @@ static void recv_generator(char *fname, 
 		return;
 	}
 
-	if (append_mode && st.st_size > file->length)
+	if (append_mode && sx.st.st_size > file->length)
 		return;
 
 	if (fnamecmp_type <= FNAMECMP_BASIS_DIR_HIGH)
 		;
 	else if (fnamecmp_type == FNAMECMP_FUZZY)
 		;
-	else if (unchanged_file(fnamecmp, file, &st)) {
+	else if (unchanged_file(fnamecmp, file, &sx.st)) {
 		if (partialptr) {
 			do_unlink(partialptr);
 			handle_partial_dir(partialptr, PDIR_DELETE);
 		}
 		if (itemizing) {
-			itemize(file, ndx, real_ret, &real_st,
+#ifdef SUPPORT_ACLS
+			if (preserve_acls && real_ret == 0)
+				get_acl(fnamecmp, &real_sx);
+#endif
+			itemize(file, ndx, real_ret, &real_sx,
 				0, 0, NULL);
+#ifdef SUPPORT_ACLS
+			if (preserve_acls) {
+				if (fnamecmp_type == FNAMECMP_FNAME) {
+					sx.acc_acl = real_sx.acc_acl;
+					sx.def_acl = real_sx.def_acl;
+				} else
+					free_acl(&real_sx);
+			}
+#endif
 		}
-		set_file_attrs(fname, file, &st, maybe_ATTRS_REPORT);
+		set_file_attrs(fname, file, &sx, maybe_ATTRS_REPORT);
 		if (preserve_hard_links && file->link_u.links)
 			hard_link_cluster(file, ndx, itemizing, code);
 		if (remove_source_files != 1)
-			return;
+			goto cleanup;
 	  return_with_success:
 		if (!dry_run) {
 			char numbuf[4];
 			SIVAL(numbuf, 0, ndx);
 			send_msg(MSG_SUCCESS, numbuf, 4);
 		}
-		return;
+		goto cleanup;
 	}
 
   prepare_to_open:
 	if (partialptr) {
-		st = partial_st;
+		sx.st = partial_st;
 		fnamecmp = partialptr;
 		fnamecmp_type = FNAMECMP_PARTIAL_DIR;
 		statret = 0;
@@ -1264,17 +1333,21 @@ static void recv_generator(char *fname, 
 	  pretend_missing:
 		/* pretend the file didn't exist */
 		if (preserve_hard_links && file->link_u.links
-		    && hard_link_check(file, ndx, fname, statret, &st,
+		    && hard_link_check(file, ndx, fname, statret, &sx,
 				       itemizing, code, HL_SKIP))
-			return;
+			goto cleanup;
 		statret = real_ret = -1;
+#ifdef SUPPORT_ACLS
+		if (preserve_acls && ACL_READY(sx))
+			free_acl(&sx);
+#endif
 		goto notify_others;
 	}
 
 	if (inplace && make_backups && fnamecmp_type == FNAMECMP_FNAME) {
 		if (!(backupptr = get_backup_name(fname))) {
 			close(fd);
-			return;
+			goto cleanup;
 		}
 		if (!(back_file = make_file(fname, NULL, NULL, 0, NO_FILTERS))) {
 			close(fd);
@@ -1285,7 +1358,7 @@ static void recv_generator(char *fname, 
 				full_fname(backupptr));
 			free(back_file);
 			close(fd);
-			return;
+			goto cleanup;
 		}
 		if ((f_copy = do_open(backupptr,
 		    O_WRONLY | O_CREAT | O_TRUNC | O_EXCL, 0600)) < 0) {
@@ -1293,14 +1366,14 @@ static void recv_generator(char *fname, 
 				full_fname(backupptr));
 			free(back_file);
 			close(fd);
-			return;
+			goto cleanup;
 		}
 		fnamecmp_type = FNAMECMP_BACKUP;
 	}
 
 	if (verbose > 3) {
 		rprintf(FINFO, "gen mapped %s of size %.0f\n",
-			fnamecmp, (double)st.st_size);
+			fnamecmp, (double)sx.st.st_size);
 	}
 
 	if (verbose > 2)
@@ -1318,24 +1391,32 @@ static void recv_generator(char *fname, 
 			iflags |= ITEM_BASIS_TYPE_FOLLOWS;
 		if (fnamecmp_type == FNAMECMP_FUZZY)
 			iflags |= ITEM_XNAME_FOLLOWS;
-		itemize(file, -1, real_ret, &real_st, iflags, fnamecmp_type,
+#ifdef SUPPORT_ACLS
+		if (preserve_acls && real_ret == 0)
+			get_acl(fnamecmp, &real_sx);
+#endif
+		itemize(file, -1, real_ret, &real_sx, iflags, fnamecmp_type,
 			fuzzy_file ? fuzzy_file->basename : NULL);
+#ifdef SUPPORT_ACLS
+		if (preserve_acls)
+			free_acl(&real_sx);
+#endif
 	}
 
 	if (!do_xfers) {
 		if (preserve_hard_links && file->link_u.links)
 			hard_link_cluster(file, ndx, itemizing, code);
-		return;
+		goto cleanup;
 	}
 	if (read_batch)
-		return;
+		goto cleanup;
 
 	if (statret != 0 || whole_file) {
 		write_sum_head(f_out, NULL);
-		return;
+		goto cleanup;
 	}
 
-	generate_and_send_sums(fd, st.st_size, f_out, f_copy);
+	generate_and_send_sums(fd, sx.st.st_size, f_out, f_copy);
 
 	if (f_copy >= 0) {
 		close(f_copy);
@@ -1348,6 +1429,13 @@ static void recv_generator(char *fname, 
 	}
 
 	close(fd);
+
+  cleanup:
+#ifdef SUPPORT_ACLS
+	if (preserve_acls)
+		free_acl(&sx);
+#endif
+	return;
 }
 
 void generate_files(int f_out, struct file_list *flist, char *local_name)
@@ -1407,6 +1495,8 @@ void generate_files(int f_out, struct fi
 	 * notice that and let us know via the redo pipe (or its closing). */
 	ignore_timeout = 1;
 
+	dflt_perms = (ACCESSPERMS & ~orig_umask);
+
 	for (i = 0; i < flist->count; i++) {
 		struct file_struct *file = flist->files[i];
 
--- old/hlink.c
+++ new/hlink.c
@@ -26,6 +26,7 @@
 extern int verbose;
 extern int do_xfers;
 extern int link_dest;
+extern int preserve_acls;
 extern int make_backups;
 extern int remove_source_files;
 extern int stdout_format_has_i;
@@ -147,15 +148,19 @@ void init_hard_links(void)
 
 #ifdef SUPPORT_HARD_LINKS
 static int maybe_hard_link(struct file_struct *file, int ndx,
-			   char *fname, int statret, STRUCT_STAT *st,
+			   char *fname, int statret, statx *sxp,
 			   char *toname, STRUCT_STAT *to_st,
 			   int itemizing, enum logcode code)
 {
 	if (statret == 0) {
-		if (st->st_dev == to_st->st_dev
-		 && st->st_ino == to_st->st_ino) {
+		if (sxp->st.st_dev == to_st->st_dev
+		 && sxp->st.st_ino == to_st->st_ino) {
 			if (itemizing) {
-				itemize(file, ndx, statret, st,
+#ifdef SUPPORT_ACLS
+				if (preserve_acls && !ACL_READY(*sxp))
+					get_acl(fname, sxp);
+#endif
+				itemize(file, ndx, statret, sxp,
 					ITEM_LOCAL_CHANGE | ITEM_XNAME_FOLLOWS,
 					0, "");
 			}
@@ -170,13 +175,13 @@ static int maybe_hard_link(struct file_s
 			return -1;
 		}
 	}
-	return hard_link_one(file, ndx, fname, statret, st, toname,
+	return hard_link_one(file, ndx, fname, statret, sxp, toname,
 			     0, itemizing, code);
 }
 #endif
 
 int hard_link_check(struct file_struct *file, int ndx, char *fname,
-		    int statret, STRUCT_STAT *st, int itemizing,
+		    int statret, statx *sxp, int itemizing,
 		    enum logcode code, int skip)
 {
 #ifdef SUPPORT_HARD_LINKS
@@ -217,7 +222,7 @@ int hard_link_check(struct file_struct *
 						 || st2.st_ino != st3.st_ino)
 							continue;
 						statret = 1;
-						st = &st3;
+						sxp->st = st3;
 						if (verbose < 2 || !stdout_format_has_i) {
 							itemizing = 0;
 							code = FNONE;
@@ -227,12 +232,16 @@ int hard_link_check(struct file_struct *
 					if (!unchanged_file(cmpbuf, file, &st3))
 						continue;
 					statret = 1;
-					st = &st3;
-					if (unchanged_attrs(file, &st3))
+					sxp->st = st3;
+#ifdef SUPPORT_ACLS
+					if (preserve_acls)
+						get_acl(cmpbuf, sxp);
+#endif
+					if (unchanged_attrs(file, sxp))
 						break;
 				} while (basis_dir[++j] != NULL);
 			}
-			maybe_hard_link(file, ndx, fname, statret, st,
+			maybe_hard_link(file, ndx, fname, statret, sxp,
 					toname, &st2, itemizing, code);
 			if (remove_source_files == 1 && do_xfers) {
 				char numbuf[4];
@@ -250,7 +259,7 @@ int hard_link_check(struct file_struct *
 
 #ifdef SUPPORT_HARD_LINKS
 int hard_link_one(struct file_struct *file, int ndx, char *fname,
-		  int statret, STRUCT_STAT *st, char *toname, int terse,
+		  int statret, statx *sxp, char *toname, int terse,
 		  int itemizing, enum logcode code)
 {
 	if (do_link(toname, fname)) {
@@ -266,7 +275,11 @@ int hard_link_one(struct file_struct *fi
 	}
 
 	if (itemizing) {
-		itemize(file, ndx, statret, st,
+#ifdef SUPPORT_ACLS
+		if (preserve_acls && statret == 0 && !ACL_READY(*sxp))
+			get_acl(fname, sxp);
+#endif
+		itemize(file, ndx, statret, sxp,
 			ITEM_LOCAL_CHANGE | ITEM_XNAME_FOLLOWS, 0,
 			terse ? "" : toname);
 	}
@@ -283,11 +296,12 @@ void hard_link_cluster(struct file_struc
 #ifdef SUPPORT_HARD_LINKS
 	char hlink1[MAXPATHLEN];
 	char *hlink2;
-	STRUCT_STAT st1, st2;
+	statx sx;
+	STRUCT_STAT st;
 	int statret, ndx = master;
 
 	file->F_HLINDEX = FINISHED_LINK;
-	if (link_stat(f_name(file, hlink1), &st1, 0) < 0)
+	if (link_stat(f_name(file, hlink1), &st, 0) < 0)
 		return;
 	if (!(file->flags & FLAG_HLINK_TOL)) {
 		while (!(file->flags & FLAG_HLINK_EOL)) {
@@ -301,9 +315,13 @@ void hard_link_cluster(struct file_struc
 		if (file->F_HLINDEX != SKIPPED_LINK)
 			continue;
 		hlink2 = f_name(file, NULL);
-		statret = link_stat(hlink2, &st2, 0);
-		maybe_hard_link(file, ndx, hlink2, statret, &st2,
-				hlink1, &st1, itemizing, code);
+		statret = link_stat(hlink2, &sx.st, 0);
+		maybe_hard_link(file, ndx, hlink2, statret, &sx,
+				hlink1, &st, itemizing, code);
+#ifdef SUPPORT_ACLS
+		if (preserve_acls)
+			free_acl(&sx);
+#endif
 		if (remove_source_files == 1 && do_xfers) {
 			char numbuf[4];
 			SIVAL(numbuf, 0, ndx);
--- old/lib/sysacls.c
+++ new/lib/sysacls.c
@@ -0,0 +1,3251 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Samba system utilities for ACL support.
+   Copyright (C) Jeremy Allison 2000.
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "rsync.h"
+#include "sysacls.h" /****** ADDED ******/
+
+#ifdef SUPPORT_ACLS
+
+/****** EXTRAS -- THESE ITEMS ARE NOT FROM THE SAMBA SOURCE ******/
+#ifdef DEBUG
+#undef DEBUG
+#endif
+#define DEBUG(x,y)
+
+void SAFE_FREE(void *mem)
+{
+	if (mem)
+		free(mem);
+}
+
+char *uidtoname(uid_t uid)
+{
+	static char idbuf[12];
+	struct passwd *pw;
+
+	if ((pw = getpwuid(uid)) == NULL) {
+		slprintf(idbuf, sizeof(idbuf)-1, "%ld", (long)uid);
+		return idbuf;
+	}
+	return pw->pw_name;
+}
+/****** EXTRAS -- END ******/
+
+/*
+ This file wraps all differing system ACL interfaces into a consistent
+ one based on the POSIX interface. It also returns the correct errors
+ for older UNIX systems that don't support ACLs.
+
+ The interfaces that each ACL implementation must support are as follows :
+
+ int sys_acl_get_entry( SMB_ACL_T theacl, int entry_id, SMB_ACL_ENTRY_T *entry_p)
+ int sys_acl_get_tag_type( SMB_ACL_ENTRY_T entry_d, SMB_ACL_TAG_T *tag_type_p)
+ int sys_acl_get_permset( SMB_ACL_ENTRY_T entry_d, SMB_ACL_PERMSET_T *permset_p
+ void *sys_acl_get_qualifier( SMB_ACL_ENTRY_T entry_d)
+ SMB_ACL_T sys_acl_get_file( const char *path_p, SMB_ACL_TYPE_T type)
+ SMB_ACL_T sys_acl_get_fd(int fd)
+ int sys_acl_clear_perms(SMB_ACL_PERMSET_T permset);
+ int sys_acl_add_perm( SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm);
+ char *sys_acl_to_text( SMB_ACL_T theacl, ssize_t *plen)
+ SMB_ACL_T sys_acl_init( int count)
+ int sys_acl_create_entry( SMB_ACL_T *pacl, SMB_ACL_ENTRY_T *pentry)
+ int sys_acl_set_tag_type( SMB_ACL_ENTRY_T entry, SMB_ACL_TAG_T tagtype)
+ int sys_acl_set_qualifier( SMB_ACL_ENTRY_T entry, void *qual)
+ int sys_acl_set_permset( SMB_ACL_ENTRY_T entry, SMB_ACL_PERMSET_T permset)
+ int sys_acl_valid( SMB_ACL_T theacl )
+ int sys_acl_set_file( const char *name, SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl)
+ int sys_acl_set_fd( int fd, SMB_ACL_T theacl)
+ int sys_acl_delete_def_file(const char *path)
+
+ This next one is not POSIX complient - but we *have* to have it !
+ More POSIX braindamage.
+
+ int sys_acl_get_perm( SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
+
+ The generic POSIX free is the following call. We split this into
+ several different free functions as we may need to add tag info
+ to structures when emulating the POSIX interface.
+
+ int sys_acl_free( void *obj_p)
+
+ The calls we actually use are :
+
+ int sys_acl_free_text(char *text) - free acl_to_text
+ int sys_acl_free_acl(SMB_ACL_T posix_acl)
+ int sys_acl_free_qualifier(void *qualifier, SMB_ACL_TAG_T tagtype)
+
+*/
+
+#if defined(HAVE_POSIX_ACLS)
+
+/* Identity mapping - easy. */
+
+int sys_acl_get_entry( SMB_ACL_T the_acl, int entry_id, SMB_ACL_ENTRY_T *entry_p)
+{
+	return acl_get_entry( the_acl, entry_id, entry_p);
+}
+
+int sys_acl_get_tag_type( SMB_ACL_ENTRY_T entry_d, SMB_ACL_TAG_T *tag_type_p)
+{
+	return acl_get_tag_type( entry_d, tag_type_p);
+}
+
+int sys_acl_get_permset( SMB_ACL_ENTRY_T entry_d, SMB_ACL_PERMSET_T *permset_p)
+{
+	return acl_get_permset( entry_d, permset_p);
+}
+
+void *sys_acl_get_qualifier( SMB_ACL_ENTRY_T entry_d)
+{
+	return acl_get_qualifier( entry_d);
+}
+
+SMB_ACL_T sys_acl_get_file( const char *path_p, SMB_ACL_TYPE_T type)
+{
+	return acl_get_file( path_p, type);
+}
+
+SMB_ACL_T sys_acl_get_fd(int fd)
+{
+	return acl_get_fd(fd);
+}
+
+int sys_acl_clear_perms(SMB_ACL_PERMSET_T permset)
+{
+	return acl_clear_perms(permset);
+}
+
+int sys_acl_add_perm( SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
+{
+	return acl_add_perm(permset, perm);
+}
+
+int sys_acl_get_perm( SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
+{
+#if defined(HAVE_ACL_GET_PERM_NP)
+	/*
+	 * Required for TrustedBSD-based ACL implementations where
+	 * non-POSIX.1e functions are denoted by a _np (non-portable)
+	 * suffix.
+	 */
+	return acl_get_perm_np(permset, perm);
+#else
+	return acl_get_perm(permset, perm);
+#endif
+}
+
+char *sys_acl_to_text( SMB_ACL_T the_acl, ssize_t *plen)
+{
+	return acl_to_text( the_acl, plen);
+}
+
+SMB_ACL_T sys_acl_init( int count)
+{
+	return acl_init(count);
+}
+
+int sys_acl_create_entry( SMB_ACL_T *pacl, SMB_ACL_ENTRY_T *pentry)
+{
+	return acl_create_entry(pacl, pentry);
+}
+
+int sys_acl_set_tag_type( SMB_ACL_ENTRY_T entry, SMB_ACL_TAG_T tagtype)
+{
+	return acl_set_tag_type(entry, tagtype);
+}
+
+int sys_acl_set_qualifier( SMB_ACL_ENTRY_T entry, void *qual)
+{
+	return acl_set_qualifier(entry, qual);
+}
+
+int sys_acl_set_permset( SMB_ACL_ENTRY_T entry, SMB_ACL_PERMSET_T permset)
+{
+	return acl_set_permset(entry, permset);
+}
+
+int sys_acl_valid( SMB_ACL_T theacl )
+{
+	return acl_valid(theacl);
+}
+
+int sys_acl_set_file(const char *name, SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl)
+{
+	return acl_set_file(name, acltype, theacl);
+}
+
+int sys_acl_set_fd( int fd, SMB_ACL_T theacl)
+{
+	return acl_set_fd(fd, theacl);
+}
+
+int sys_acl_delete_def_file(const char *name)
+{
+	return acl_delete_def_file(name);
+}
+
+int sys_acl_free_text(char *text)
+{
+	return acl_free(text);
+}
+
+int sys_acl_free_acl(SMB_ACL_T the_acl) 
+{
+	return acl_free(the_acl);
+}
+
+int sys_acl_free_qualifier(void *qual, UNUSED(SMB_ACL_TAG_T tagtype))
+{
+	return acl_free(qual);
+}
+
+#elif defined(HAVE_TRU64_ACLS)
+/*
+ * The interface to DEC/Compaq Tru64 UNIX ACLs
+ * is based on Draft 13 of the POSIX spec which is
+ * slightly different from the Draft 16 interface.
+ * 
+ * Also, some of the permset manipulation functions
+ * such as acl_clear_perm() and acl_add_perm() appear
+ * to be broken on Tru64 so we have to manipulate
+ * the permission bits in the permset directly.
+ */
+int sys_acl_get_entry( SMB_ACL_T the_acl, int entry_id, SMB_ACL_ENTRY_T *entry_p)
+{
+	SMB_ACL_ENTRY_T	entry;
+
+	if (entry_id == SMB_ACL_FIRST_ENTRY && acl_first_entry(the_acl) != 0) {
+		return -1;
+	}
+
+	errno = 0;
+	if ((entry = acl_get_entry(the_acl)) != NULL) {
+		*entry_p = entry;
+		return 1;
+	}
+
+	return errno ? -1 : 0;
+}
+
+int sys_acl_get_tag_type( SMB_ACL_ENTRY_T entry_d, SMB_ACL_TAG_T *tag_type_p)
+{
+	return acl_get_tag_type( entry_d, tag_type_p);
+}
+
+int sys_acl_get_permset( SMB_ACL_ENTRY_T entry_d, SMB_ACL_PERMSET_T *permset_p)
+{
+	return acl_get_permset( entry_d, permset_p);
+}
+
+void *sys_acl_get_qualifier( SMB_ACL_ENTRY_T entry_d)
+{
+	return acl_get_qualifier( entry_d);
+}
+
+SMB_ACL_T sys_acl_get_file( const char *path_p, SMB_ACL_TYPE_T type)
+{
+	return acl_get_file((char *)path_p, type);
+}
+
+SMB_ACL_T sys_acl_get_fd(int fd)
+{
+	return acl_get_fd(fd, ACL_TYPE_ACCESS);
+}
+
+int sys_acl_clear_perms(SMB_ACL_PERMSET_T permset)
+{
+	*permset = 0;		/* acl_clear_perm() is broken on Tru64	*/
+
+	return 0;
+}
+
+int sys_acl_add_perm( SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
+{
+	if (perm & ~(SMB_ACL_READ | SMB_ACL_WRITE | SMB_ACL_EXECUTE)) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	*permset |= perm;	/* acl_add_perm() is broken on Tru64	*/
+
+	return 0;
+}
+
+int sys_acl_get_perm( SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
+{
+	return *permset & perm;	/* Tru64 doesn't have acl_get_perm() */
+}
+
+char *sys_acl_to_text( SMB_ACL_T the_acl, ssize_t *plen)
+{
+	return acl_to_text( the_acl, plen);
+}
+
+SMB_ACL_T sys_acl_init( int count)
+{
+	return acl_init(count);
+}
+
+int sys_acl_create_entry( SMB_ACL_T *pacl, SMB_ACL_ENTRY_T *pentry)
+{
+	SMB_ACL_ENTRY_T entry;
+
+	if ((entry = acl_create_entry(pacl)) == NULL) {
+		return -1;
+	}
+
+	*pentry = entry;
+	return 0;
+}
+
+int sys_acl_set_tag_type( SMB_ACL_ENTRY_T entry, SMB_ACL_TAG_T tagtype)
+{
+	return acl_set_tag_type(entry, tagtype);
+}
+
+int sys_acl_set_qualifier( SMB_ACL_ENTRY_T entry, void *qual)
+{
+	return acl_set_qualifier(entry, qual);
+}
+
+int sys_acl_set_permset( SMB_ACL_ENTRY_T entry, SMB_ACL_PERMSET_T permset)
+{
+	return acl_set_permset(entry, permset);
+}
+
+int sys_acl_valid( SMB_ACL_T theacl )
+{
+	acl_entry_t	entry;
+
+	return acl_valid(theacl, &entry);
+}
+
+int sys_acl_set_file( const char *name, SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl)
+{
+	return acl_set_file((char *)name, acltype, theacl);
+}
+
+int sys_acl_set_fd( int fd, SMB_ACL_T theacl)
+{
+	return acl_set_fd(fd, ACL_TYPE_ACCESS, theacl);
+}
+
+int sys_acl_delete_def_file(const char *name)
+{
+	return acl_delete_def_file((char *)name);
+}
+
+int sys_acl_free_text(char *text)
+{
+	/*
+	 * (void) cast and explicit return 0 are for DEC UNIX
+	 *  which just #defines acl_free_text() to be free()
+	 */
+	(void) acl_free_text(text);
+	return 0;
+}
+
+int sys_acl_free_acl(SMB_ACL_T the_acl) 
+{
+	return acl_free(the_acl);
+}
+
+int sys_acl_free_qualifier(void *qual, SMB_ACL_TAG_T tagtype)
+{
+	return acl_free_qualifier(qual, tagtype);
+}
+
+#elif defined(HAVE_UNIXWARE_ACLS) || defined(HAVE_SOLARIS_ACLS)
+
+/*
+ * Donated by Michael Davidson <md@sco.COM> for UnixWare / OpenUNIX.
+ * Modified by Toomas Soome <tsoome@ut.ee> for Solaris.
+ */
+
+/*
+ * Note that while this code implements sufficient functionality
+ * to support the sys_acl_* interfaces it does not provide all
+ * of the semantics of the POSIX ACL interfaces.
+ *
+ * In particular, an ACL entry descriptor (SMB_ACL_ENTRY_T) returned
+ * from a call to sys_acl_get_entry() should not be assumed to be
+ * valid after calling any of the following functions, which may
+ * reorder the entries in the ACL.
+ *
+ *	sys_acl_valid()
+ *	sys_acl_set_file()
+ *	sys_acl_set_fd()
+ */
+
+/*
+ * The only difference between Solaris and UnixWare / OpenUNIX is
+ * that the #defines for the ACL operations have different names
+ */
+#if defined(HAVE_UNIXWARE_ACLS)
+
+#define	SETACL		ACL_SET
+#define	GETACL		ACL_GET
+#define	GETACLCNT	ACL_CNT
+
+#endif
+
+
+int sys_acl_get_entry(SMB_ACL_T acl_d, int entry_id, SMB_ACL_ENTRY_T *entry_p)
+{
+	if (entry_id != SMB_ACL_FIRST_ENTRY && entry_id != SMB_ACL_NEXT_ENTRY) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (entry_p == NULL) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (entry_id == SMB_ACL_FIRST_ENTRY) {
+		acl_d->next = 0;
+	}
+
+	if (acl_d->next < 0) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (acl_d->next >= acl_d->count) {
+		return 0;
+	}
+
+	*entry_p = &acl_d->acl[acl_d->next++];
+
+	return 1;
+}
+
+int sys_acl_get_tag_type(SMB_ACL_ENTRY_T entry_d, SMB_ACL_TAG_T *type_p)
+{
+	*type_p = entry_d->a_type;
+
+	return 0;
+}
+
+int sys_acl_get_permset(SMB_ACL_ENTRY_T entry_d, SMB_ACL_PERMSET_T *permset_p)
+{
+	*permset_p = &entry_d->a_perm;
+
+	return 0;
+}
+
+void *sys_acl_get_qualifier(SMB_ACL_ENTRY_T entry_d)
+{
+	if (entry_d->a_type != SMB_ACL_USER
+	    && entry_d->a_type != SMB_ACL_GROUP) {
+		errno = EINVAL;
+		return NULL;
+	}
+
+	return &entry_d->a_id;
+}
+
+/*
+ * There is no way of knowing what size the ACL returned by
+ * GETACL will be unless you first call GETACLCNT which means
+ * making an additional system call.
+ *
+ * In the hope of avoiding the cost of the additional system
+ * call in most cases, we initially allocate enough space for
+ * an ACL with INITIAL_ACL_SIZE entries. If this turns out to
+ * be too small then we use GETACLCNT to find out the actual
+ * size, reallocate the ACL buffer, and then call GETACL again.
+ */
+
+#define	INITIAL_ACL_SIZE	16
+
+SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
+{
+	SMB_ACL_T	acl_d;
+	int		count;		/* # of ACL entries allocated	*/
+	int		naccess;	/* # of access ACL entries	*/
+	int		ndefault;	/* # of default ACL entries	*/
+
+	if (type != SMB_ACL_TYPE_ACCESS && type != SMB_ACL_TYPE_DEFAULT) {
+		errno = EINVAL;
+		return NULL;
+	}
+
+	count = INITIAL_ACL_SIZE;
+	if ((acl_d = sys_acl_init(count)) == NULL) {
+		return NULL;
+	}
+
+	/*
+	 * If there isn't enough space for the ACL entries we use
+	 * GETACLCNT to determine the actual number of ACL entries
+	 * reallocate and try again. This is in a loop because it
+	 * is possible that someone else could modify the ACL and
+	 * increase the number of entries between the call to
+	 * GETACLCNT and the call to GETACL.
+	 */
+	while ((count = acl(path_p, GETACL, count, &acl_d->acl[0])) < 0
+	    && errno == ENOSPC) {
+
+		sys_acl_free_acl(acl_d);
+
+		if ((count = acl(path_p, GETACLCNT, 0, NULL)) < 0) {
+			return NULL;
+		}
+
+		if ((acl_d = sys_acl_init(count)) == NULL) {
+			return NULL;
+		}
+	}
+
+	if (count < 0) {
+		sys_acl_free_acl(acl_d);
+		return NULL;
+	}
+
+	/*
+	 * calculate the number of access and default ACL entries
+	 *
+	 * Note: we assume that the acl() system call returned a
+	 * well formed ACL which is sorted so that all of the
+	 * access ACL entries preceed any default ACL entries
+	 */
+	for (naccess = 0; naccess < count; naccess++) {
+		if (acl_d->acl[naccess].a_type & ACL_DEFAULT)
+			break;
+	}
+	ndefault = count - naccess;
+	
+	/*
+	 * if the caller wants the default ACL we have to copy
+	 * the entries down to the start of the acl[] buffer
+	 * and mask out the ACL_DEFAULT flag from the type field
+	 */
+	if (type == SMB_ACL_TYPE_DEFAULT) {
+		int	i, j;
+
+		for (i = 0, j = naccess; i < ndefault; i++, j++) {
+			acl_d->acl[i] = acl_d->acl[j];
+			acl_d->acl[i].a_type &= ~ACL_DEFAULT;
+		}
+
+		acl_d->count = ndefault;
+	} else {
+		acl_d->count = naccess;
+	}
+
+	return acl_d;
+}
+
+SMB_ACL_T sys_acl_get_fd(int fd)
+{
+	SMB_ACL_T	acl_d;
+	int		count;		/* # of ACL entries allocated	*/
+	int		naccess;	/* # of access ACL entries	*/
+
+	count = INITIAL_ACL_SIZE;
+	if ((acl_d = sys_acl_init(count)) == NULL) {
+		return NULL;
+	}
+
+	while ((count = facl(fd, GETACL, count, &acl_d->acl[0])) < 0
+	    && errno == ENOSPC) {
+
+		sys_acl_free_acl(acl_d);
+
+		if ((count = facl(fd, GETACLCNT, 0, NULL)) < 0) {
+			return NULL;
+		}
+
+		if ((acl_d = sys_acl_init(count)) == NULL) {
+			return NULL;
+		}
+	}
+
+	if (count < 0) {
+		sys_acl_free_acl(acl_d);
+		return NULL;
+	}
+
+	/*
+	 * calculate the number of access ACL entries
+	 */
+	for (naccess = 0; naccess < count; naccess++) {
+		if (acl_d->acl[naccess].a_type & ACL_DEFAULT)
+			break;
+	}
+	
+	acl_d->count = naccess;
+
+	return acl_d;
+}
+
+int sys_acl_clear_perms(SMB_ACL_PERMSET_T permset_d)
+{
+	*permset_d = 0;
+
+	return 0;
+}
+
+int sys_acl_add_perm(SMB_ACL_PERMSET_T permset_d, SMB_ACL_PERM_T perm)
+{
+	if (perm != SMB_ACL_READ && perm != SMB_ACL_WRITE
+	    && perm != SMB_ACL_EXECUTE) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (permset_d == NULL) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	*permset_d |= perm;
+
+	return 0;
+}
+
+int sys_acl_get_perm(SMB_ACL_PERMSET_T permset_d, SMB_ACL_PERM_T perm)
+{
+	return *permset_d & perm;
+}
+
+char *sys_acl_to_text(SMB_ACL_T acl_d, ssize_t *len_p)
+{
+	int	i;
+	int	len, maxlen;
+	char	*text;
+
+	/*
+	 * use an initial estimate of 20 bytes per ACL entry
+	 * when allocating memory for the text representation
+	 * of the ACL
+	 */
+	len	= 0;
+	maxlen	= 20 * acl_d->count;
+	if ((text = SMB_MALLOC(maxlen)) == NULL) {
+		errno = ENOMEM;
+		return NULL;
+	}
+
+	for (i = 0; i < acl_d->count; i++) {
+		struct acl	*ap	= &acl_d->acl[i];
+		struct group	*gr;
+		char		tagbuf[12];
+		char		idbuf[12];
+		char		*tag;
+		char		*id	= "";
+		char		perms[4];
+		int		nbytes;
+
+		switch (ap->a_type) {
+			/*
+			 * for debugging purposes it's probably more
+			 * useful to dump unknown tag types rather
+			 * than just returning an error
+			 */
+			default:
+				slprintf(tagbuf, sizeof(tagbuf)-1, "0x%x",
+					ap->a_type);
+				tag = tagbuf;
+				slprintf(idbuf, sizeof(idbuf)-1, "%ld",
+					(long)ap->a_id);
+				id = idbuf;
+				break;
+
+			case SMB_ACL_USER:
+				id = uidtoname(ap->a_id);
+			case SMB_ACL_USER_OBJ:
+				tag = "user";
+				break;
+
+			case SMB_ACL_GROUP:
+				if ((gr = getgrgid(ap->a_id)) == NULL) {
+					slprintf(idbuf, sizeof(idbuf)-1, "%ld",
+						(long)ap->a_id);
+					id = idbuf;
+				} else {
+					id = gr->gr_name;
+				}
+			case SMB_ACL_GROUP_OBJ:
+				tag = "group";
+				break;
+
+			case SMB_ACL_OTHER:
+				tag = "other";
+				break;
+
+			case SMB_ACL_MASK:
+				tag = "mask";
+				break;
+
+		}
+
+		perms[0] = (ap->a_perm & SMB_ACL_READ) ? 'r' : '-';
+		perms[1] = (ap->a_perm & SMB_ACL_WRITE) ? 'w' : '-';
+		perms[2] = (ap->a_perm & SMB_ACL_EXECUTE) ? 'x' : '-';
+		perms[3] = '\0';
+
+		/*          <tag>      :  <qualifier>   :  rwx \n  \0 */
+		nbytes = strlen(tag) + 1 + strlen(id) + 1 + 3 + 1 + 1;
+
+		/*
+		 * If this entry would overflow the buffer
+		 * allocate enough additional memory for this
+		 * entry and an estimate of another 20 bytes
+		 * for each entry still to be processed
+		 */
+		if ((len + nbytes) > maxlen) {
+			char *oldtext = text;
+
+			maxlen += nbytes + 20 * (acl_d->count - i);
+
+			if ((text = SMB_REALLOC(oldtext, maxlen)) == NULL) {
+				SAFE_FREE(oldtext);
+				errno = ENOMEM;
+				return NULL;
+			}
+		}
+
+		slprintf(&text[len], nbytes-1, "%s:%s:%s\n", tag, id, perms);
+		len += nbytes - 1;
+	}
+
+	if (len_p)
+		*len_p = len;
+
+	return text;
+}
+
+SMB_ACL_T sys_acl_init(int count)
+{
+	SMB_ACL_T	a;
+
+	if (count < 0) {
+		errno = EINVAL;
+		return NULL;
+	}
+
+	/*
+	 * note that since the definition of the structure pointed
+	 * to by the SMB_ACL_T includes the first element of the
+	 * acl[] array, this actually allocates an ACL with room
+	 * for (count+1) entries
+	 */
+	if ((a = (SMB_ACL_T)SMB_MALLOC(sizeof(struct SMB_ACL_T) + count * sizeof(struct acl))) == NULL) {
+		errno = ENOMEM;
+		return NULL;
+	}
+
+	a->size = count + 1;
+	a->count = 0;
+	a->next = -1;
+
+	return a;
+}
+
+
+int sys_acl_create_entry(SMB_ACL_T *acl_p, SMB_ACL_ENTRY_T *entry_p)
+{
+	SMB_ACL_T	acl_d;
+	SMB_ACL_ENTRY_T	entry_d;
+
+	if (acl_p == NULL || entry_p == NULL || (acl_d = *acl_p) == NULL) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (acl_d->count >= acl_d->size) {
+		errno = ENOSPC;
+		return -1;
+	}
+
+	entry_d		= &acl_d->acl[acl_d->count++];
+	entry_d->a_type	= 0;
+	entry_d->a_id	= -1;
+	entry_d->a_perm	= 0;
+	*entry_p	= entry_d;
+
+	return 0;
+}
+
+int sys_acl_set_tag_type(SMB_ACL_ENTRY_T entry_d, SMB_ACL_TAG_T tag_type)
+{
+	switch (tag_type) {
+		case SMB_ACL_USER:
+		case SMB_ACL_USER_OBJ:
+		case SMB_ACL_GROUP:
+		case SMB_ACL_GROUP_OBJ:
+		case SMB_ACL_OTHER:
+		case SMB_ACL_MASK:
+			entry_d->a_type = tag_type;
+			break;
+		default:
+			errno = EINVAL;
+			return -1;
+	}
+
+	return 0;
+}
+
+int sys_acl_set_qualifier(SMB_ACL_ENTRY_T entry_d, void *qual_p)
+{
+	if (entry_d->a_type != SMB_ACL_GROUP
+	    && entry_d->a_type != SMB_ACL_USER) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	entry_d->a_id = *((id_t *)qual_p);
+
+	return 0;
+}
+
+int sys_acl_set_permset(SMB_ACL_ENTRY_T entry_d, SMB_ACL_PERMSET_T permset_d)
+{
+	if (*permset_d & ~(SMB_ACL_READ|SMB_ACL_WRITE|SMB_ACL_EXECUTE)) {
+		return EINVAL;
+	}
+
+	entry_d->a_perm = *permset_d;
+
+	return 0;
+}
+
+/*
+ * sort the ACL and check it for validity
+ *
+ * if it's a minimal ACL with only 4 entries then we
+ * need to recalculate the mask permissions to make
+ * sure that they are the same as the GROUP_OBJ
+ * permissions as required by the UnixWare acl() system call.
+ *
+ * (note: since POSIX allows minimal ACLs which only contain
+ * 3 entries - ie there is no mask entry - we should, in theory,
+ * check for this and add a mask entry if necessary - however
+ * we "know" that the caller of this interface always specifies
+ * a mask so, in practice "this never happens" (tm) - if it *does*
+ * happen aclsort() will fail and return an error and someone will
+ * have to fix it ...)
+ */
+
+static int acl_sort(SMB_ACL_T acl_d)
+{
+	int     fixmask = (acl_d->count <= 4);
+
+	if (aclsort(acl_d->count, fixmask, acl_d->acl) != 0) {
+		errno = EINVAL;
+		return -1;
+	}
+	return 0;
+}
+ 
+int sys_acl_valid(SMB_ACL_T acl_d)
+{
+	return acl_sort(acl_d);
+}
+
+int sys_acl_set_file(const char *name, SMB_ACL_TYPE_T type, SMB_ACL_T acl_d)
+{
+	struct stat	s;
+	struct acl	*acl_p;
+	int		acl_count;
+	struct acl	*acl_buf	= NULL;
+	int		ret;
+
+	if (type != SMB_ACL_TYPE_ACCESS && type != SMB_ACL_TYPE_DEFAULT) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (acl_sort(acl_d) != 0) {
+		return -1;
+	}
+
+	acl_p		= &acl_d->acl[0];
+	acl_count	= acl_d->count;
+
+	/*
+	 * if it's a directory there is extra work to do
+	 * since the acl() system call will replace both
+	 * the access ACLs and the default ACLs (if any)
+	 */
+	if (stat(name, &s) != 0) {
+		return -1;
+	}
+	if (S_ISDIR(s.st_mode)) {
+		SMB_ACL_T	acc_acl;
+		SMB_ACL_T	def_acl;
+		SMB_ACL_T	tmp_acl;
+		int		i;
+
+		if (type == SMB_ACL_TYPE_ACCESS) {
+			acc_acl = acl_d;
+			def_acl = tmp_acl = sys_acl_get_file(name, SMB_ACL_TYPE_DEFAULT);
+
+		} else {
+			def_acl = acl_d;
+			acc_acl = tmp_acl = sys_acl_get_file(name, SMB_ACL_TYPE_ACCESS);
+		}
+
+		if (tmp_acl == NULL) {
+			return -1;
+		}
+
+		/*
+		 * allocate a temporary buffer for the complete ACL
+		 */
+		acl_count = acc_acl->count + def_acl->count;
+		acl_p = acl_buf = SMB_MALLOC_ARRAY(struct acl, acl_count);
+
+		if (acl_buf == NULL) {
+			sys_acl_free_acl(tmp_acl);
+			errno = ENOMEM;
+			return -1;
+		}
+
+		/*
+		 * copy the access control and default entries into the buffer
+		 */
+		memcpy(&acl_buf[0], &acc_acl->acl[0],
+			acc_acl->count * sizeof(acl_buf[0]));
+
+		memcpy(&acl_buf[acc_acl->count], &def_acl->acl[0],
+			def_acl->count * sizeof(acl_buf[0]));
+
+		/*
+		 * set the ACL_DEFAULT flag on the default entries
+		 */
+		for (i = acc_acl->count; i < acl_count; i++) {
+			acl_buf[i].a_type |= ACL_DEFAULT;
+		}
+
+		sys_acl_free_acl(tmp_acl);
+
+	} else if (type != SMB_ACL_TYPE_ACCESS) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	ret = acl(name, SETACL, acl_count, acl_p);
+
+	SAFE_FREE(acl_buf);
+
+	return ret;
+}
+
+int sys_acl_set_fd(int fd, SMB_ACL_T acl_d)
+{
+	if (acl_sort(acl_d) != 0) {
+		return -1;
+	}
+
+	return facl(fd, SETACL, acl_d->count, &acl_d->acl[0]);
+}
+
+int sys_acl_delete_def_file(const char *path)
+{
+	SMB_ACL_T	acl_d;
+	int		ret;
+
+	/*
+	 * fetching the access ACL and rewriting it has
+	 * the effect of deleting the default ACL
+	 */
+	if ((acl_d = sys_acl_get_file(path, SMB_ACL_TYPE_ACCESS)) == NULL) {
+		return -1;
+	}
+
+	ret = acl(path, SETACL, acl_d->count, acl_d->acl);
+
+	sys_acl_free_acl(acl_d);
+	
+	return ret;
+}
+
+int sys_acl_free_text(char *text)
+{
+	SAFE_FREE(text);
+	return 0;
+}
+
+int sys_acl_free_acl(SMB_ACL_T acl_d) 
+{
+	SAFE_FREE(acl_d);
+	return 0;
+}
+
+int sys_acl_free_qualifier(UNUSED(void *qual), UNUSED(SMB_ACL_TAG_T tagtype))
+{
+	return 0;
+}
+
+#elif defined(HAVE_HPUX_ACLS)
+#include <dl.h>
+
+/*
+ * Based on the Solaris/SCO code - with modifications.
+ */
+
+/*
+ * Note that while this code implements sufficient functionality
+ * to support the sys_acl_* interfaces it does not provide all
+ * of the semantics of the POSIX ACL interfaces.
+ *
+ * In particular, an ACL entry descriptor (SMB_ACL_ENTRY_T) returned
+ * from a call to sys_acl_get_entry() should not be assumed to be
+ * valid after calling any of the following functions, which may
+ * reorder the entries in the ACL.
+ *
+ *	sys_acl_valid()
+ *	sys_acl_set_file()
+ *	sys_acl_set_fd()
+ */
+
+/* This checks if the POSIX ACL system call is defined */
+/* which basically corresponds to whether JFS 3.3 or   */
+/* higher is installed. If acl() was called when it    */
+/* isn't defined, it causes the process to core dump   */
+/* so it is important to check this and avoid acl()    */
+/* calls if it isn't there.                            */
+
+static BOOL hpux_acl_call_presence(void)
+{
+
+	shl_t handle = NULL;
+	void *value;
+	int ret_val=0;
+	static BOOL already_checked=0;
+
+	if(already_checked)
+		return True;
+
+
+	ret_val = shl_findsym(&handle, "acl", TYPE_PROCEDURE, &value);
+
+	if(ret_val != 0) {
+		DEBUG(5, ("hpux_acl_call_presence: shl_findsym() returned %d, errno = %d, error %s\n",
+			ret_val, errno, strerror(errno)));
+		DEBUG(5,("hpux_acl_call_presence: acl() system call is not present. Check if you have JFS 3.3 and above?\n"));
+		return False;
+	}
+
+	DEBUG(10,("hpux_acl_call_presence: acl() system call is present. We have JFS 3.3 or above \n"));
+
+	already_checked = True;
+	return True;
+}
+
+int sys_acl_get_entry(SMB_ACL_T acl_d, int entry_id, SMB_ACL_ENTRY_T *entry_p)
+{
+	if (entry_id != SMB_ACL_FIRST_ENTRY && entry_id != SMB_ACL_NEXT_ENTRY) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (entry_p == NULL) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (entry_id == SMB_ACL_FIRST_ENTRY) {
+		acl_d->next = 0;
+	}
+
+	if (acl_d->next < 0) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (acl_d->next >= acl_d->count) {
+		return 0;
+	}
+
+	*entry_p = &acl_d->acl[acl_d->next++];
+
+	return 1;
+}
+
+int sys_acl_get_tag_type(SMB_ACL_ENTRY_T entry_d, SMB_ACL_TAG_T *type_p)
+{
+	*type_p = entry_d->a_type;
+
+	return 0;
+}
+
+int sys_acl_get_permset(SMB_ACL_ENTRY_T entry_d, SMB_ACL_PERMSET_T *permset_p)
+{
+	*permset_p = &entry_d->a_perm;
+
+	return 0;
+}
+
+void *sys_acl_get_qualifier(SMB_ACL_ENTRY_T entry_d)
+{
+	if (entry_d->a_type != SMB_ACL_USER
+	    && entry_d->a_type != SMB_ACL_GROUP) {
+		errno = EINVAL;
+		return NULL;
+	}
+
+	return &entry_d->a_id;
+}
+
+/*
+ * There is no way of knowing what size the ACL returned by
+ * ACL_GET will be unless you first call ACL_CNT which means
+ * making an additional system call.
+ *
+ * In the hope of avoiding the cost of the additional system
+ * call in most cases, we initially allocate enough space for
+ * an ACL with INITIAL_ACL_SIZE entries. If this turns out to
+ * be too small then we use ACL_CNT to find out the actual
+ * size, reallocate the ACL buffer, and then call ACL_GET again.
+ */
+
+#define	INITIAL_ACL_SIZE	16
+
+SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
+{
+	SMB_ACL_T	acl_d;
+	int		count;		/* # of ACL entries allocated	*/
+	int		naccess;	/* # of access ACL entries	*/
+	int		ndefault;	/* # of default ACL entries	*/
+
+	if(hpux_acl_call_presence() == False) {
+		/* Looks like we don't have the acl() system call on HPUX. 
+		 * May be the system doesn't have the latest version of JFS.
+		 */
+		return NULL; 
+	}
+
+	if (type != SMB_ACL_TYPE_ACCESS && type != SMB_ACL_TYPE_DEFAULT) {
+		errno = EINVAL;
+		return NULL;
+	}
+
+	count = INITIAL_ACL_SIZE;
+	if ((acl_d = sys_acl_init(count)) == NULL) {
+		return NULL;
+	}
+
+	/*
+	 * If there isn't enough space for the ACL entries we use
+	 * ACL_CNT to determine the actual number of ACL entries
+	 * reallocate and try again. This is in a loop because it
+	 * is possible that someone else could modify the ACL and
+	 * increase the number of entries between the call to
+	 * ACL_CNT and the call to ACL_GET.
+	 */
+	while ((count = acl(path_p, ACL_GET, count, &acl_d->acl[0])) < 0 && errno == ENOSPC) {
+
+		sys_acl_free_acl(acl_d);
+
+		if ((count = acl(path_p, ACL_CNT, 0, NULL)) < 0) {
+			return NULL;
+		}
+
+		if ((acl_d = sys_acl_init(count)) == NULL) {
+			return NULL;
+		}
+	}
+
+	if (count < 0) {
+		sys_acl_free_acl(acl_d);
+		return NULL;
+	}
+
+	/*
+	 * calculate the number of access and default ACL entries
+	 *
+	 * Note: we assume that the acl() system call returned a
+	 * well formed ACL which is sorted so that all of the
+	 * access ACL entries preceed any default ACL entries
+	 */
+	for (naccess = 0; naccess < count; naccess++) {
+		if (acl_d->acl[naccess].a_type & ACL_DEFAULT)
+			break;
+	}
+	ndefault = count - naccess;
+	
+	/*
+	 * if the caller wants the default ACL we have to copy
+	 * the entries down to the start of the acl[] buffer
+	 * and mask out the ACL_DEFAULT flag from the type field
+	 */
+	if (type == SMB_ACL_TYPE_DEFAULT) {
+		int	i, j;
+
+		for (i = 0, j = naccess; i < ndefault; i++, j++) {
+			acl_d->acl[i] = acl_d->acl[j];
+			acl_d->acl[i].a_type &= ~ACL_DEFAULT;
+		}
+
+		acl_d->count = ndefault;
+	} else {
+		acl_d->count = naccess;
+	}
+
+	return acl_d;
+}
+
+SMB_ACL_T sys_acl_get_fd(int fd)
+{
+	/*
+	 * HPUX doesn't have the facl call. Fake it using the path.... JRA.
+	 */
+
+	files_struct *fsp = file_find_fd(fd);
+
+	if (fsp == NULL) {
+		errno = EBADF;
+		return NULL;
+	}
+
+	/*
+	 * We know we're in the same conn context. So we
+	 * can use the relative path.
+	 */
+
+	return sys_acl_get_file(fsp->fsp_name, SMB_ACL_TYPE_ACCESS);
+}
+
+int sys_acl_clear_perms(SMB_ACL_PERMSET_T permset_d)
+{
+	*permset_d = 0;
+
+	return 0;
+}
+
+int sys_acl_add_perm(SMB_ACL_PERMSET_T permset_d, SMB_ACL_PERM_T perm)
+{
+	if (perm != SMB_ACL_READ && perm != SMB_ACL_WRITE
+	    && perm != SMB_ACL_EXECUTE) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (permset_d == NULL) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	*permset_d |= perm;
+
+	return 0;
+}
+
+int sys_acl_get_perm(SMB_ACL_PERMSET_T permset_d, SMB_ACL_PERM_T perm)
+{
+	return *permset_d & perm;
+}
+
+char *sys_acl_to_text(SMB_ACL_T acl_d, ssize_t *len_p)
+{
+	int	i;
+	int	len, maxlen;
+	char	*text;
+
+	/*
+	 * use an initial estimate of 20 bytes per ACL entry
+	 * when allocating memory for the text representation
+	 * of the ACL
+	 */
+	len	= 0;
+	maxlen	= 20 * acl_d->count;
+	if ((text = SMB_MALLOC(maxlen)) == NULL) {
+		errno = ENOMEM;
+		return NULL;
+	}
+
+	for (i = 0; i < acl_d->count; i++) {
+		struct acl	*ap	= &acl_d->acl[i];
+		struct group	*gr;
+		char		tagbuf[12];
+		char		idbuf[12];
+		char		*tag;
+		char		*id	= "";
+		char		perms[4];
+		int		nbytes;
+
+		switch (ap->a_type) {
+			/*
+			 * for debugging purposes it's probably more
+			 * useful to dump unknown tag types rather
+			 * than just returning an error
+			 */
+			default:
+				slprintf(tagbuf, sizeof(tagbuf)-1, "0x%x",
+					ap->a_type);
+				tag = tagbuf;
+				slprintf(idbuf, sizeof(idbuf)-1, "%ld",
+					(long)ap->a_id);
+				id = idbuf;
+				break;
+
+			case SMB_ACL_USER:
+				id = uidtoname(ap->a_id);
+			case SMB_ACL_USER_OBJ:
+				tag = "user";
+				break;
+
+			case SMB_ACL_GROUP:
+				if ((gr = getgrgid(ap->a_id)) == NULL) {
+					slprintf(idbuf, sizeof(idbuf)-1, "%ld",
+						(long)ap->a_id);
+					id = idbuf;
+				} else {
+					id = gr->gr_name;
+				}
+			case SMB_ACL_GROUP_OBJ:
+				tag = "group";
+				break;
+
+			case SMB_ACL_OTHER:
+				tag = "other";
+				break;
+
+			case SMB_ACL_MASK:
+				tag = "mask";
+				break;
+
+		}
+
+		perms[0] = (ap->a_perm & SMB_ACL_READ) ? 'r' : '-';
+		perms[1] = (ap->a_perm & SMB_ACL_WRITE) ? 'w' : '-';
+		perms[2] = (ap->a_perm & SMB_ACL_EXECUTE) ? 'x' : '-';
+		perms[3] = '\0';
+
+		/*          <tag>      :  <qualifier>   :  rwx \n  \0 */
+		nbytes = strlen(tag) + 1 + strlen(id) + 1 + 3 + 1 + 1;
+
+		/*
+		 * If this entry would overflow the buffer
+		 * allocate enough additional memory for this
+		 * entry and an estimate of another 20 bytes
+		 * for each entry still to be processed
+		 */
+		if ((len + nbytes) > maxlen) {
+			char *oldtext = text;
+
+			maxlen += nbytes + 20 * (acl_d->count - i);
+
+			if ((text = SMB_REALLOC(oldtext, maxlen)) == NULL) {
+				free(oldtext);
+				errno = ENOMEM;
+				return NULL;
+			}
+		}
+
+		slprintf(&text[len], nbytes-1, "%s:%s:%s\n", tag, id, perms);
+		len += nbytes - 1;
+	}
+
+	if (len_p)
+		*len_p = len;
+
+	return text;
+}
+
+SMB_ACL_T sys_acl_init(int count)
+{
+	SMB_ACL_T	a;
+
+	if (count < 0) {
+		errno = EINVAL;
+		return NULL;
+	}
+
+	/*
+	 * note that since the definition of the structure pointed
+	 * to by the SMB_ACL_T includes the first element of the
+	 * acl[] array, this actually allocates an ACL with room
+	 * for (count+1) entries
+	 */
+	if ((a = SMB_MALLOC(sizeof(struct SMB_ACL_T) + count * sizeof(struct acl))) == NULL) {
+		errno = ENOMEM;
+		return NULL;
+	}
+
+	a->size = count + 1;
+	a->count = 0;
+	a->next = -1;
+
+	return a;
+}
+
+
+int sys_acl_create_entry(SMB_ACL_T *acl_p, SMB_ACL_ENTRY_T *entry_p)
+{
+	SMB_ACL_T	acl_d;
+	SMB_ACL_ENTRY_T	entry_d;
+
+	if (acl_p == NULL || entry_p == NULL || (acl_d = *acl_p) == NULL) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (acl_d->count >= acl_d->size) {
+		errno = ENOSPC;
+		return -1;
+	}
+
+	entry_d		= &acl_d->acl[acl_d->count++];
+	entry_d->a_type	= 0;
+	entry_d->a_id	= -1;
+	entry_d->a_perm	= 0;
+	*entry_p	= entry_d;
+
+	return 0;
+}
+
+int sys_acl_set_tag_type(SMB_ACL_ENTRY_T entry_d, SMB_ACL_TAG_T tag_type)
+{
+	switch (tag_type) {
+		case SMB_ACL_USER:
+		case SMB_ACL_USER_OBJ:
+		case SMB_ACL_GROUP:
+		case SMB_ACL_GROUP_OBJ:
+		case SMB_ACL_OTHER:
+		case SMB_ACL_MASK:
+			entry_d->a_type = tag_type;
+			break;
+		default:
+			errno = EINVAL;
+			return -1;
+	}
+
+	return 0;
+}
+
+int sys_acl_set_qualifier(SMB_ACL_ENTRY_T entry_d, void *qual_p)
+{
+	if (entry_d->a_type != SMB_ACL_GROUP
+	    && entry_d->a_type != SMB_ACL_USER) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	entry_d->a_id = *((id_t *)qual_p);
+
+	return 0;
+}
+
+int sys_acl_set_permset(SMB_ACL_ENTRY_T entry_d, SMB_ACL_PERMSET_T permset_d)
+{
+	if (*permset_d & ~(SMB_ACL_READ|SMB_ACL_WRITE|SMB_ACL_EXECUTE)) {
+		return EINVAL;
+	}
+
+	entry_d->a_perm = *permset_d;
+
+	return 0;
+}
+
+/* Structure to capture the count for each type of ACE. */
+
+struct hpux_acl_types {
+	int n_user;
+	int n_def_user;
+	int n_user_obj;
+	int n_def_user_obj;
+
+	int n_group;
+	int n_def_group;
+	int n_group_obj;
+	int n_def_group_obj;
+
+	int n_other;
+	int n_other_obj;
+	int n_def_other_obj;
+
+	int n_class_obj;
+	int n_def_class_obj;
+
+	int n_illegal_obj;
+};
+
+/* count_obj:
+ * Counts the different number of objects in a given array of ACL
+ * structures.
+ * Inputs:
+ *
+ * acl_count      - Count of ACLs in the array of ACL strucutres.
+ * aclp           - Array of ACL structures.
+ * acl_type_count - Pointer to acl_types structure. Should already be
+ *                  allocated.
+ * Output: 
+ *
+ * acl_type_count - This structure is filled up with counts of various 
+ *                  acl types.
+ */
+
+static int hpux_count_obj(int acl_count, struct acl *aclp, struct hpux_acl_types *acl_type_count)
+{
+	int i;
+
+	memset(acl_type_count, 0, sizeof(struct hpux_acl_types));
+
+	for(i=0;i<acl_count;i++) {
+		switch(aclp[i].a_type) {
+		case USER: 
+			acl_type_count->n_user++;
+			break;
+		case USER_OBJ: 
+			acl_type_count->n_user_obj++;
+			break;
+		case DEF_USER_OBJ: 
+			acl_type_count->n_def_user_obj++;
+			break;
+		case GROUP: 
+			acl_type_count->n_group++;
+			break;
+		case GROUP_OBJ: 
+			acl_type_count->n_group_obj++;
+			break;
+		case DEF_GROUP_OBJ: 
+			acl_type_count->n_def_group_obj++;
+			break;
+		case OTHER_OBJ: 
+			acl_type_count->n_other_obj++;
+			break;
+		case DEF_OTHER_OBJ: 
+			acl_type_count->n_def_other_obj++;
+			break;
+		case CLASS_OBJ:
+			acl_type_count->n_class_obj++;
+			break;
+		case DEF_CLASS_OBJ:
+			acl_type_count->n_def_class_obj++;
+			break;
+		case DEF_USER:
+			acl_type_count->n_def_user++;
+			break;
+		case DEF_GROUP:
+			acl_type_count->n_def_group++;
+			break;
+		default: 
+			acl_type_count->n_illegal_obj++;
+			break;
+		}
+	}
+}
+
+/* swap_acl_entries:  Swaps two ACL entries. 
+ *
+ * Inputs: aclp0, aclp1 - ACL entries to be swapped.
+ */
+
+static void hpux_swap_acl_entries(struct acl *aclp0, struct acl *aclp1)
+{
+	struct acl temp_acl;
+
+	temp_acl.a_type = aclp0->a_type;
+	temp_acl.a_id = aclp0->a_id;
+	temp_acl.a_perm = aclp0->a_perm;
+
+	aclp0->a_type = aclp1->a_type;
+	aclp0->a_id = aclp1->a_id;
+	aclp0->a_perm = aclp1->a_perm;
+
+	aclp1->a_type = temp_acl.a_type;
+	aclp1->a_id = temp_acl.a_id;
+	aclp1->a_perm = temp_acl.a_perm;
+}
+
+/* prohibited_duplicate_type
+ * Identifies if given ACL type can have duplicate entries or 
+ * not.
+ *
+ * Inputs: acl_type - ACL Type.
+ *
+ * Outputs: 
+ *
+ * Return.. 
+ *
+ * True - If the ACL type matches any of the prohibited types.
+ * False - If the ACL type doesn't match any of the prohibited types.
+ */ 
+
+static BOOL hpux_prohibited_duplicate_type(int acl_type)
+{
+	switch(acl_type) {
+		case USER:
+		case GROUP:
+		case DEF_USER: 
+		case DEF_GROUP:
+			return True;
+		default:
+			return False;
+	}
+}
+
+/* get_needed_class_perm
+ * Returns the permissions of a ACL structure only if the ACL
+ * type matches one of the pre-determined types for computing 
+ * CLASS_OBJ permissions.
+ *
+ * Inputs: aclp - Pointer to ACL structure.
+ */
+
+static int hpux_get_needed_class_perm(struct acl *aclp)
+{
+	switch(aclp->a_type) {
+		case USER: 
+		case GROUP_OBJ: 
+		case GROUP: 
+		case DEF_USER_OBJ: 
+		case DEF_USER:
+		case DEF_GROUP_OBJ: 
+		case DEF_GROUP:
+		case DEF_CLASS_OBJ:
+		case DEF_OTHER_OBJ: 
+			return aclp->a_perm;
+		default: 
+			return 0;
+	}
+}
+
+/* acl_sort for HPUX.
+ * Sorts the array of ACL structures as per the description in
+ * aclsort man page. Refer to aclsort man page for more details
+ *
+ * Inputs:
+ *
+ * acl_count - Count of ACLs in the array of ACL structures.
+ * calclass  - If this is not zero, then we compute the CLASS_OBJ
+ *             permissions.
+ * aclp      - Array of ACL structures.
+ *
+ * Outputs:
+ *
+ * aclp     - Sorted array of ACL structures.
+ *
+ * Outputs:
+ *
+ * Returns 0 for success -1 for failure. Prints a message to the Samba
+ * debug log in case of failure.
+ */
+
+static int hpux_acl_sort(int acl_count, int calclass, struct acl *aclp)
+{
+#if !defined(HAVE_HPUX_ACLSORT)
+	/*
+	 * The aclsort() system call is availabe on the latest HPUX General
+	 * Patch Bundles. So for HPUX, we developed our version of acl_sort 
+	 * function. Because, we don't want to update to a new 
+	 * HPUX GR bundle just for aclsort() call.
+	 */
+
+	struct hpux_acl_types acl_obj_count;
+	int n_class_obj_perm = 0;
+	int i, j;
+ 
+	if(!acl_count) {
+		DEBUG(10,("Zero acl count passed. Returning Success\n"));
+		return 0;
+	}
+
+	if(aclp == NULL) {
+		DEBUG(0,("Null ACL pointer in hpux_acl_sort. Returning Failure. \n"));
+		return -1;
+	}
+
+	/* Count different types of ACLs in the ACLs array */
+
+	hpux_count_obj(acl_count, aclp, &acl_obj_count);
+
+	/* There should be only one entry each of type USER_OBJ, GROUP_OBJ, 
+	 * CLASS_OBJ and OTHER_OBJ 
+	 */
+
+	if( (acl_obj_count.n_user_obj  != 1) || 
+		(acl_obj_count.n_group_obj != 1) || 
+		(acl_obj_count.n_class_obj != 1) ||
+		(acl_obj_count.n_other_obj != 1) 
+	) {
+		DEBUG(0,("hpux_acl_sort: More than one entry or no entries for \
+USER OBJ or GROUP_OBJ or OTHER_OBJ or CLASS_OBJ\n"));
+		return -1;
+	}
+
+	/* If any of the default objects are present, there should be only
+	 * one of them each.
+	 */
+
+	if( (acl_obj_count.n_def_user_obj  > 1) || (acl_obj_count.n_def_group_obj > 1) || 
+			(acl_obj_count.n_def_other_obj > 1) || (acl_obj_count.n_def_class_obj > 1) ) {
+		DEBUG(0,("hpux_acl_sort: More than one entry for DEF_CLASS_OBJ \
+or DEF_USER_OBJ or DEF_GROUP_OBJ or DEF_OTHER_OBJ\n"));
+		return -1;
+	}
+
+	/* We now have proper number of OBJ and DEF_OBJ entries. Now sort the acl 
+	 * structures.  
+	 *
+	 * Sorting crieteria - First sort by ACL type. If there are multiple entries of
+	 * same ACL type, sort by ACL id.
+	 *
+	 * I am using the trival kind of sorting method here because, performance isn't 
+	 * really effected by the ACLs feature. More over there aren't going to be more
+	 * than 17 entries on HPUX. 
+	 */
+
+	for(i=0; i<acl_count;i++) {
+		for (j=i+1; j<acl_count; j++) {
+			if( aclp[i].a_type > aclp[j].a_type ) {
+				/* ACL entries out of order, swap them */
+
+				hpux_swap_acl_entries((aclp+i), (aclp+j));
+
+			} else if ( aclp[i].a_type == aclp[j].a_type ) {
+
+				/* ACL entries of same type, sort by id */
+
+				if(aclp[i].a_id > aclp[j].a_id) {
+					hpux_swap_acl_entries((aclp+i), (aclp+j));
+				} else if (aclp[i].a_id == aclp[j].a_id) {
+					/* We have a duplicate entry. */
+					if(hpux_prohibited_duplicate_type(aclp[i].a_type)) {
+						DEBUG(0, ("hpux_acl_sort: Duplicate entry: Type(hex): %x Id: %d\n",
+							aclp[i].a_type, aclp[i].a_id));
+						return -1;
+					}
+				}
+
+			}
+		}
+	}
+
+	/* set the class obj permissions to the computed one. */
+	if(calclass) {
+		int n_class_obj_index = -1;
+
+		for(i=0;i<acl_count;i++) {
+			n_class_obj_perm |= hpux_get_needed_class_perm((aclp+i));
+
+			if(aclp[i].a_type == CLASS_OBJ)
+				n_class_obj_index = i;
+		}
+		aclp[n_class_obj_index].a_perm = n_class_obj_perm;
+	}
+
+	return 0;
+#else
+	return aclsort(acl_count, calclass, aclp);
+#endif
+}
+
+/*
+ * sort the ACL and check it for validity
+ *
+ * if it's a minimal ACL with only 4 entries then we
+ * need to recalculate the mask permissions to make
+ * sure that they are the same as the GROUP_OBJ
+ * permissions as required by the UnixWare acl() system call.
+ *
+ * (note: since POSIX allows minimal ACLs which only contain
+ * 3 entries - ie there is no mask entry - we should, in theory,
+ * check for this and add a mask entry if necessary - however
+ * we "know" that the caller of this interface always specifies
+ * a mask so, in practice "this never happens" (tm) - if it *does*
+ * happen aclsort() will fail and return an error and someone will
+ * have to fix it ...)
+ */
+
+static int acl_sort(SMB_ACL_T acl_d)
+{
+	int fixmask = (acl_d->count <= 4);
+
+	if (hpux_acl_sort(acl_d->count, fixmask, acl_d->acl) != 0) {
+		errno = EINVAL;
+		return -1;
+	}
+	return 0;
+}
+ 
+int sys_acl_valid(SMB_ACL_T acl_d)
+{
+	return acl_sort(acl_d);
+}
+
+int sys_acl_set_file(const char *name, SMB_ACL_TYPE_T type, SMB_ACL_T acl_d)
+{
+	struct stat	s;
+	struct acl	*acl_p;
+	int		acl_count;
+	struct acl	*acl_buf	= NULL;
+	int		ret;
+
+	if(hpux_acl_call_presence() == False) {
+		/* Looks like we don't have the acl() system call on HPUX. 
+		 * May be the system doesn't have the latest version of JFS.
+		 */
+		errno=ENOSYS;
+		return -1; 
+	}
+
+	if (type != SMB_ACL_TYPE_ACCESS && type != SMB_ACL_TYPE_DEFAULT) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (acl_sort(acl_d) != 0) {
+		return -1;
+	}
+
+	acl_p		= &acl_d->acl[0];
+	acl_count	= acl_d->count;
+
+	/*
+	 * if it's a directory there is extra work to do
+	 * since the acl() system call will replace both
+	 * the access ACLs and the default ACLs (if any)
+	 */
+	if (stat(name, &s) != 0) {
+		return -1;
+	}
+	if (S_ISDIR(s.st_mode)) {
+		SMB_ACL_T	acc_acl;
+		SMB_ACL_T	def_acl;
+		SMB_ACL_T	tmp_acl;
+		int		i;
+
+		if (type == SMB_ACL_TYPE_ACCESS) {
+			acc_acl = acl_d;
+			def_acl = tmp_acl = sys_acl_get_file(name, SMB_ACL_TYPE_DEFAULT);
+
+		} else {
+			def_acl = acl_d;
+			acc_acl = tmp_acl = sys_acl_get_file(name, SMB_ACL_TYPE_ACCESS);
+		}
+
+		if (tmp_acl == NULL) {
+			return -1;
+		}
+
+		/*
+		 * allocate a temporary buffer for the complete ACL
+		 */
+		acl_count = acc_acl->count + def_acl->count;
+		acl_p = acl_buf = SMB_MALLOC_ARRAY(struct acl, acl_count);
+
+		if (acl_buf == NULL) {
+			sys_acl_free_acl(tmp_acl);
+			errno = ENOMEM;
+			return -1;
+		}
+
+		/*
+		 * copy the access control and default entries into the buffer
+		 */
+		memcpy(&acl_buf[0], &acc_acl->acl[0],
+			acc_acl->count * sizeof(acl_buf[0]));
+
+		memcpy(&acl_buf[acc_acl->count], &def_acl->acl[0],
+			def_acl->count * sizeof(acl_buf[0]));
+
+		/*
+		 * set the ACL_DEFAULT flag on the default entries
+		 */
+		for (i = acc_acl->count; i < acl_count; i++) {
+			acl_buf[i].a_type |= ACL_DEFAULT;
+		}
+
+		sys_acl_free_acl(tmp_acl);
+
+	} else if (type != SMB_ACL_TYPE_ACCESS) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	ret = acl(name, ACL_SET, acl_count, acl_p);
+
+	if (acl_buf) {
+		free(acl_buf);
+	}
+
+	return ret;
+}
+
+int sys_acl_set_fd(int fd, SMB_ACL_T acl_d)
+{
+	/*
+	 * HPUX doesn't have the facl call. Fake it using the path.... JRA.
+	 */
+
+	files_struct *fsp = file_find_fd(fd);
+
+	if (fsp == NULL) {
+		errno = EBADF;
+		return NULL;
+	}
+
+	if (acl_sort(acl_d) != 0) {
+		return -1;
+	}
+
+	/*
+	 * We know we're in the same conn context. So we
+	 * can use the relative path.
+	 */
+
+	return sys_acl_set_file(fsp->fsp_name, SMB_ACL_TYPE_ACCESS, acl_d);
+}
+
+int sys_acl_delete_def_file(const char *path)
+{
+	SMB_ACL_T	acl_d;
+	int		ret;
+
+	/*
+	 * fetching the access ACL and rewriting it has
+	 * the effect of deleting the default ACL
+	 */
+	if ((acl_d = sys_acl_get_file(path, SMB_ACL_TYPE_ACCESS)) == NULL) {
+		return -1;
+	}
+
+	ret = acl(path, ACL_SET, acl_d->count, acl_d->acl);
+
+	sys_acl_free_acl(acl_d);
+	
+	return ret;
+}
+
+int sys_acl_free_text(char *text)
+{
+	free(text);
+	return 0;
+}
+
+int sys_acl_free_acl(SMB_ACL_T acl_d) 
+{
+	free(acl_d);
+	return 0;
+}
+
+int sys_acl_free_qualifier(void *qual, SMB_ACL_TAG_T tagtype)
+{
+	return 0;
+}
+
+#elif defined(HAVE_IRIX_ACLS)
+
+int sys_acl_get_entry(SMB_ACL_T acl_d, int entry_id, SMB_ACL_ENTRY_T *entry_p)
+{
+	if (entry_id != SMB_ACL_FIRST_ENTRY && entry_id != SMB_ACL_NEXT_ENTRY) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (entry_p == NULL) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (entry_id == SMB_ACL_FIRST_ENTRY) {
+		acl_d->next = 0;
+	}
+
+	if (acl_d->next < 0) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (acl_d->next >= acl_d->aclp->acl_cnt) {
+		return 0;
+	}
+
+	*entry_p = &acl_d->aclp->acl_entry[acl_d->next++];
+
+	return 1;
+}
+
+int sys_acl_get_tag_type(SMB_ACL_ENTRY_T entry_d, SMB_ACL_TAG_T *type_p)
+{
+	*type_p = entry_d->ae_tag;
+
+	return 0;
+}
+
+int sys_acl_get_permset(SMB_ACL_ENTRY_T entry_d, SMB_ACL_PERMSET_T *permset_p)
+{
+	*permset_p = entry_d;
+
+	return 0;
+}
+
+void *sys_acl_get_qualifier(SMB_ACL_ENTRY_T entry_d)
+{
+	if (entry_d->ae_tag != SMB_ACL_USER
+	    && entry_d->ae_tag != SMB_ACL_GROUP) {
+		errno = EINVAL;
+		return NULL;
+	}
+
+	return &entry_d->ae_id;
+}
+
+SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
+{
+	SMB_ACL_T	a;
+
+	if ((a = SMB_MALLOC_P(struct SMB_ACL_T)) == NULL) {
+		errno = ENOMEM;
+		return NULL;
+	}
+	if ((a->aclp = acl_get_file(path_p, type)) == NULL) {
+		SAFE_FREE(a);
+		return NULL;
+	}
+	a->next = -1;
+	a->freeaclp = True;
+	return a;
+}
+
+SMB_ACL_T sys_acl_get_fd(int fd)
+{
+	SMB_ACL_T	a;
+
+	if ((a = SMB_MALLOC_P(struct SMB_ACL_T)) == NULL) {
+		errno = ENOMEM;
+		return NULL;
+	}
+	if ((a->aclp = acl_get_fd(fd)) == NULL) {
+		SAFE_FREE(a);
+		return NULL;
+	}
+	a->next = -1;
+	a->freeaclp = True;
+	return a;
+}
+
+int sys_acl_clear_perms(SMB_ACL_PERMSET_T permset_d)
+{
+	permset_d->ae_perm = 0;
+
+	return 0;
+}
+
+int sys_acl_add_perm(SMB_ACL_PERMSET_T permset_d, SMB_ACL_PERM_T perm)
+{
+	if (perm != SMB_ACL_READ && perm != SMB_ACL_WRITE
+	    && perm != SMB_ACL_EXECUTE) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (permset_d == NULL) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	permset_d->ae_perm |= perm;
+
+	return 0;
+}
+
+int sys_acl_get_perm(SMB_ACL_PERMSET_T permset_d, SMB_ACL_PERM_T perm)
+{
+	return permset_d->ae_perm & perm;
+}
+
+char *sys_acl_to_text(SMB_ACL_T acl_d, ssize_t *len_p)
+{
+	return acl_to_text(acl_d->aclp, len_p);
+}
+
+SMB_ACL_T sys_acl_init(int count)
+{
+	SMB_ACL_T	a;
+
+	if (count < 0) {
+		errno = EINVAL;
+		return NULL;
+	}
+
+	if ((a = SMB_MALLOC(sizeof(struct SMB_ACL_T) + sizeof(struct acl))) == NULL) {
+		errno = ENOMEM;
+		return NULL;
+	}
+
+	a->next = -1;
+	a->freeaclp = False;
+	a->aclp = (struct acl *)(&a->aclp + sizeof(struct acl *));
+	a->aclp->acl_cnt = 0;
+
+	return a;
+}
+
+
+int sys_acl_create_entry(SMB_ACL_T *acl_p, SMB_ACL_ENTRY_T *entry_p)
+{
+	SMB_ACL_T	acl_d;
+	SMB_ACL_ENTRY_T	entry_d;
+
+	if (acl_p == NULL || entry_p == NULL || (acl_d = *acl_p) == NULL) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (acl_d->aclp->acl_cnt >= ACL_MAX_ENTRIES) {
+		errno = ENOSPC;
+		return -1;
+	}
+
+	entry_d		= &acl_d->aclp->acl_entry[acl_d->aclp->acl_cnt++];
+	entry_d->ae_tag	= 0;
+	entry_d->ae_id	= 0;
+	entry_d->ae_perm	= 0;
+	*entry_p	= entry_d;
+
+	return 0;
+}
+
+int sys_acl_set_tag_type(SMB_ACL_ENTRY_T entry_d, SMB_ACL_TAG_T tag_type)
+{
+	switch (tag_type) {
+		case SMB_ACL_USER:
+		case SMB_ACL_USER_OBJ:
+		case SMB_ACL_GROUP:
+		case SMB_ACL_GROUP_OBJ:
+		case SMB_ACL_OTHER:
+		case SMB_ACL_MASK:
+			entry_d->ae_tag = tag_type;
+			break;
+		default:
+			errno = EINVAL;
+			return -1;
+	}
+
+	return 0;
+}
+
+int sys_acl_set_qualifier(SMB_ACL_ENTRY_T entry_d, void *qual_p)
+{
+	if (entry_d->ae_tag != SMB_ACL_GROUP
+	    && entry_d->ae_tag != SMB_ACL_USER) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	entry_d->ae_id = *((id_t *)qual_p);
+
+	return 0;
+}
+
+int sys_acl_set_permset(SMB_ACL_ENTRY_T entry_d, SMB_ACL_PERMSET_T permset_d)
+{
+	if (permset_d->ae_perm & ~(SMB_ACL_READ|SMB_ACL_WRITE|SMB_ACL_EXECUTE)) {
+		return EINVAL;
+	}
+
+	entry_d->ae_perm = permset_d->ae_perm;
+
+	return 0;
+}
+
+int sys_acl_valid(SMB_ACL_T acl_d)
+{
+	return acl_valid(acl_d->aclp);
+}
+
+int sys_acl_set_file(const char *name, SMB_ACL_TYPE_T type, SMB_ACL_T acl_d)
+{
+	return acl_set_file(name, type, acl_d->aclp);
+}
+
+int sys_acl_set_fd(int fd, SMB_ACL_T acl_d)
+{
+	return acl_set_fd(fd, acl_d->aclp);
+}
+
+int sys_acl_delete_def_file(const char *name)
+{
+	return acl_delete_def_file(name);
+}
+
+int sys_acl_free_text(char *text)
+{
+	return acl_free(text);
+}
+
+int sys_acl_free_acl(SMB_ACL_T acl_d) 
+{
+	if (acl_d->freeaclp) {
+		acl_free(acl_d->aclp);
+	}
+	acl_free(acl_d);
+	return 0;
+}
+
+int sys_acl_free_qualifier(void *qual, SMB_ACL_TAG_T tagtype)
+{
+	return 0;
+}
+
+#elif defined(HAVE_AIX_ACLS)
+
+/* Donated by Medha Date, mdate@austin.ibm.com, for IBM */
+
+int sys_acl_get_entry( SMB_ACL_T theacl, int entry_id, SMB_ACL_ENTRY_T *entry_p)
+{
+	struct acl_entry_link *link;
+	struct new_acl_entry *entry;
+	int keep_going;
+
+	DEBUG(10,("This is the count: %d\n",theacl->count));
+
+	/* Check if count was previously set to -1. *
+	 * If it was, that means we reached the end *
+	 * of the acl last time.                    */
+	if(theacl->count == -1)
+		return(0);
+
+	link = theacl;
+	/* To get to the next acl, traverse linked list until index *
+	 * of acl matches the count we are keeping.  This count is  *
+	 * incremented each time we return an acl entry.            */
+
+	for(keep_going = 0; keep_going < theacl->count; keep_going++)
+		link = link->nextp;
+
+	entry = *entry_p =  link->entryp;
+
+	DEBUG(10,("*entry_p is %d\n",entry_p));
+	DEBUG(10,("*entry_p->ace_access is %d\n",entry->ace_access));
+
+	/* Increment count */
+	theacl->count++;
+	if(link->nextp == NULL)
+		theacl->count = -1;
+
+	return(1);
+}
+
+int sys_acl_get_tag_type( SMB_ACL_ENTRY_T entry_d, SMB_ACL_TAG_T *tag_type_p)
+{
+	/* Initialize tag type */
+
+	*tag_type_p = -1;
+	DEBUG(10,("the tagtype is %d\n",entry_d->ace_id->id_type));
+
+	/* Depending on what type of entry we have, *
+	 * return tag type.                         */
+	switch(entry_d->ace_id->id_type) {
+	case ACEID_USER:
+		*tag_type_p = SMB_ACL_USER;
+		break;
+	case ACEID_GROUP:
+		*tag_type_p = SMB_ACL_GROUP;
+		break;
+
+	case SMB_ACL_USER_OBJ:
+	case SMB_ACL_GROUP_OBJ:
+	case SMB_ACL_OTHER:
+		*tag_type_p = entry_d->ace_id->id_type;
+		break;
+ 
+	default:
+		return(-1);
+	}
+
+	return(0);
+}
+
+int sys_acl_get_permset( SMB_ACL_ENTRY_T entry_d, SMB_ACL_PERMSET_T *permset_p)
+{
+	DEBUG(10,("Starting AIX sys_acl_get_permset\n"));
+	*permset_p = &entry_d->ace_access;
+	DEBUG(10,("**permset_p is %d\n",**permset_p));
+	if(!(**permset_p & S_IXUSR) &&
+		!(**permset_p & S_IWUSR) &&
+		!(**permset_p & S_IRUSR) &&
+		(**permset_p != 0))
+			return(-1);
+
+	DEBUG(10,("Ending AIX sys_acl_get_permset\n"));
+	return(0);
+}
+
+void *sys_acl_get_qualifier( SMB_ACL_ENTRY_T entry_d)
+{
+	return(entry_d->ace_id->id_data);
+}
+
+SMB_ACL_T sys_acl_get_file( const char *path_p, SMB_ACL_TYPE_T type)
+{
+	struct acl *file_acl = (struct acl *)NULL;
+	struct acl_entry *acl_entry;
+	struct new_acl_entry *new_acl_entry;
+	struct ace_id *idp;
+	struct acl_entry_link *acl_entry_link;
+	struct acl_entry_link *acl_entry_link_head;
+	int i;
+	int rc = 0;
+	uid_t user_id;
+
+	/* AIX has no DEFAULT */
+	if  ( type == SMB_ACL_TYPE_DEFAULT ) {
+		errno = ENOTSUP;
+		return NULL;
+	}
+
+	/* Get the acl using statacl */
+ 
+	DEBUG(10,("Entering sys_acl_get_file\n"));
+	DEBUG(10,("path_p is %s\n",path_p));
+
+	file_acl = (struct acl *)SMB_MALLOC(BUFSIZ);
+ 
+	if(file_acl == NULL) {
+		errno=ENOMEM;
+		DEBUG(0,("Error in AIX sys_acl_get_file: %d\n",errno));
+		return(NULL);
+	}
+
+	memset(file_acl,0,BUFSIZ);
+
+	rc = statacl((char *)path_p,0,file_acl,BUFSIZ);
+	if(rc == -1) {
+		DEBUG(0,("statacl returned %d with errno %d\n",rc,errno));
+		SAFE_FREE(file_acl);
+		return(NULL);
+	}
+
+	DEBUG(10,("Got facl and returned it\n"));
+
+	/* Point to the first acl entry in the acl */
+	acl_entry =  file_acl->acl_ext;
+
+	/* Begin setting up the head of the linked list *
+	 * that will be used for the storing the acl    *
+	 * in a way that is useful for the posix_acls.c *
+	 * code.                                          */
+
+	acl_entry_link_head = acl_entry_link = sys_acl_init(0);
+	if(acl_entry_link_head == NULL)
+		return(NULL);
+
+	acl_entry_link->entryp = SMB_MALLOC_P(struct new_acl_entry);
+	if(acl_entry_link->entryp == NULL) {
+		SAFE_FREE(file_acl);
+		errno = ENOMEM;
+		DEBUG(0,("Error in AIX sys_acl_get_file is %d\n",errno));
+		return(NULL);
+	}
+
+	DEBUG(10,("acl_entry is %d\n",acl_entry));
+	DEBUG(10,("acl_last(file_acl) id %d\n",acl_last(file_acl)));
+
+	/* Check if the extended acl bit is on.   *
+	 * If it isn't, do not show the           *
+	 * contents of the acl since AIX intends *
+	 * the extended info to remain unused     */
+
+	if(file_acl->acl_mode & S_IXACL){
+		/* while we are not pointing to the very end */
+		while(acl_entry < acl_last(file_acl)) {
+			/* before we malloc anything, make sure this is  */
+			/* a valid acl entry and one that we want to map */
+			idp = id_nxt(acl_entry->ace_id);
+			if((acl_entry->ace_type == ACC_SPECIFY ||
+				(acl_entry->ace_type == ACC_PERMIT)) && (idp != id_last(acl_entry))) {
+					acl_entry = acl_nxt(acl_entry);
+					continue;
+			}
+
+			idp = acl_entry->ace_id;
+
+			/* Check if this is the first entry in the linked list. *
+			 * The first entry needs to keep prevp pointing to NULL *
+			 * and already has entryp allocated.                  */
+
+			if(acl_entry_link_head->count != 0) {
+				acl_entry_link->nextp = SMB_MALLOC_P(struct acl_entry_link);
+
+				if(acl_entry_link->nextp == NULL) {
+					SAFE_FREE(file_acl);
+					errno = ENOMEM;
+					DEBUG(0,("Error in AIX sys_acl_get_file is %d\n",errno));
+					return(NULL);
+				}
+
+				acl_entry_link->nextp->prevp = acl_entry_link;
+				acl_entry_link = acl_entry_link->nextp;
+				acl_entry_link->entryp = SMB_MALLOC_P(struct new_acl_entry);
+				if(acl_entry_link->entryp == NULL) {
+					SAFE_FREE(file_acl);
+					errno = ENOMEM;
+					DEBUG(0,("Error in AIX sys_acl_get_file is %d\n",errno));
+					return(NULL);
+				}
+				acl_entry_link->nextp = NULL;
+			}
+
+			acl_entry_link->entryp->ace_len = acl_entry->ace_len;
+
+			/* Don't really need this since all types are going *
+			 * to be specified but, it's better than leaving it 0 */
+
+			acl_entry_link->entryp->ace_type = acl_entry->ace_type;
+ 
+			acl_entry_link->entryp->ace_access = acl_entry->ace_access;
+ 
+			memcpy(acl_entry_link->entryp->ace_id,idp,sizeof(struct ace_id));
+
+			/* The access in the acl entries must be left shifted by *
+			 * three bites, because they will ultimately be compared *
+			 * to S_IRUSR, S_IWUSR, and S_IXUSR.                  */
+
+			switch(acl_entry->ace_type){
+			case ACC_PERMIT:
+			case ACC_SPECIFY:
+				acl_entry_link->entryp->ace_access = acl_entry->ace_access;
+				acl_entry_link->entryp->ace_access <<= 6;
+				acl_entry_link_head->count++;
+				break;
+			case ACC_DENY:
+				/* Since there is no way to return a DENY acl entry *
+				 * change to PERMIT and then shift.                 */
+				DEBUG(10,("acl_entry->ace_access is %d\n",acl_entry->ace_access));
+				acl_entry_link->entryp->ace_access = ~acl_entry->ace_access & 7;
+				DEBUG(10,("acl_entry_link->entryp->ace_access is %d\n",acl_entry_link->entryp->ace_access));
+				acl_entry_link->entryp->ace_access <<= 6;
+				acl_entry_link_head->count++;
+				break;
+			default:
+				return(0);
+			}
+
+			DEBUG(10,("acl_entry = %d\n",acl_entry));
+			DEBUG(10,("The ace_type is %d\n",acl_entry->ace_type));
+ 
+			acl_entry = acl_nxt(acl_entry);
+		}
+	} /* end of if enabled */
+
+	/* Since owner, group, other acl entries are not *
+	 * part of the acl entries in an acl, they must  *
+	 * be dummied up to become part of the list.     */
+
+	for( i = 1; i < 4; i++) {
+		DEBUG(10,("i is %d\n",i));
+		if(acl_entry_link_head->count != 0) {
+			acl_entry_link->nextp = SMB_MALLOC_P(struct acl_entry_link);
+			if(acl_entry_link->nextp == NULL) {
+				SAFE_FREE(file_acl);
+				errno = ENOMEM;
+				DEBUG(0,("Error in AIX sys_acl_get_file is %d\n",errno));
+				return(NULL);
+			}
+
+			acl_entry_link->nextp->prevp = acl_entry_link;
+			acl_entry_link = acl_entry_link->nextp;
+			acl_entry_link->entryp = SMB_MALLOC_P(struct new_acl_entry);
+			if(acl_entry_link->entryp == NULL) {
+				SAFE_FREE(file_acl);
+				errno = ENOMEM;
+				DEBUG(0,("Error in AIX sys_acl_get_file is %d\n",errno));
+				return(NULL);
+			}
+		}
+
+		acl_entry_link->nextp = NULL;
+
+		new_acl_entry = acl_entry_link->entryp;
+		idp = new_acl_entry->ace_id;
+
+		new_acl_entry->ace_len = sizeof(struct acl_entry);
+		new_acl_entry->ace_type = ACC_PERMIT;
+		idp->id_len = sizeof(struct ace_id);
+		DEBUG(10,("idp->id_len = %d\n",idp->id_len));
+		memset(idp->id_data,0,sizeof(uid_t));
+
+		switch(i) {
+		case 2:
+			new_acl_entry->ace_access = file_acl->g_access << 6;
+			idp->id_type = SMB_ACL_GROUP_OBJ;
+			break;
+
+		case 3:
+			new_acl_entry->ace_access = file_acl->o_access << 6;
+			idp->id_type = SMB_ACL_OTHER;
+			break;
+ 
+		case 1:
+			new_acl_entry->ace_access = file_acl->u_access << 6;
+			idp->id_type = SMB_ACL_USER_OBJ;
+			break;
+ 
+		default:
+			return(NULL);
+
+		}
+
+		acl_entry_link_head->count++;
+		DEBUG(10,("new_acl_entry->ace_access = %d\n",new_acl_entry->ace_access));
+	}
+
+	acl_entry_link_head->count = 0;
+	SAFE_FREE(file_acl);
+
+	return(acl_entry_link_head);
+}
+
+SMB_ACL_T sys_acl_get_fd(int fd)
+{
+	struct acl *file_acl = (struct acl *)NULL;
+	struct acl_entry *acl_entry;
+	struct new_acl_entry *new_acl_entry;
+	struct ace_id *idp;
+	struct acl_entry_link *acl_entry_link;
+	struct acl_entry_link *acl_entry_link_head;
+	int i;
+	int rc = 0;
+	uid_t user_id;
+
+	/* Get the acl using fstatacl */
+   
+	DEBUG(10,("Entering sys_acl_get_fd\n"));
+	DEBUG(10,("fd is %d\n",fd));
+	file_acl = (struct acl *)SMB_MALLOC(BUFSIZ);
+
+	if(file_acl == NULL) {
+		errno=ENOMEM;
+		DEBUG(0,("Error in sys_acl_get_fd is %d\n",errno));
+		return(NULL);
+	}
+
+	memset(file_acl,0,BUFSIZ);
+
+	rc = fstatacl(fd,0,file_acl,BUFSIZ);
+	if(rc == -1) {
+		DEBUG(0,("The fstatacl call returned %d with errno %d\n",rc,errno));
+		SAFE_FREE(file_acl);
+		return(NULL);
+	}
+
+	DEBUG(10,("Got facl and returned it\n"));
+
+	/* Point to the first acl entry in the acl */
+
+	acl_entry =  file_acl->acl_ext;
+	/* Begin setting up the head of the linked list *
+	 * that will be used for the storing the acl    *
+	 * in a way that is useful for the posix_acls.c *
+	 * code.                                        */
+
+	acl_entry_link_head = acl_entry_link = sys_acl_init(0);
+	if(acl_entry_link_head == NULL){
+		SAFE_FREE(file_acl);
+		return(NULL);
+	}
+
+	acl_entry_link->entryp = SMB_MALLOC_P(struct new_acl_entry);
+
+	if(acl_entry_link->entryp == NULL) {
+		errno = ENOMEM;
+		DEBUG(0,("Error in sys_acl_get_fd is %d\n",errno));
+		SAFE_FREE(file_acl);
+		return(NULL);
+	}
+
+	DEBUG(10,("acl_entry is %d\n",acl_entry));
+	DEBUG(10,("acl_last(file_acl) id %d\n",acl_last(file_acl)));
+ 
+	/* Check if the extended acl bit is on.   *
+	 * If it isn't, do not show the           *
+	 * contents of the acl since AIX intends  *
+	 * the extended info to remain unused     */
+ 
+	if(file_acl->acl_mode & S_IXACL){
+		/* while we are not pointing to the very end */
+		while(acl_entry < acl_last(file_acl)) {
+			/* before we malloc anything, make sure this is  */
+			/* a valid acl entry and one that we want to map */
+
+			idp = id_nxt(acl_entry->ace_id);
+			if((acl_entry->ace_type == ACC_SPECIFY ||
+				(acl_entry->ace_type == ACC_PERMIT)) && (idp != id_last(acl_entry))) {
+					acl_entry = acl_nxt(acl_entry);
+					continue;
+			}
+
+			idp = acl_entry->ace_id;
+ 
+			/* Check if this is the first entry in the linked list. *
+			 * The first entry needs to keep prevp pointing to NULL *
+			 * and already has entryp allocated.                 */
+
+			if(acl_entry_link_head->count != 0) {
+				acl_entry_link->nextp = SMB_MALLOC_P(struct acl_entry_link);
+				if(acl_entry_link->nextp == NULL) {
+					errno = ENOMEM;
+					DEBUG(0,("Error in sys_acl_get_fd is %d\n",errno));
+					SAFE_FREE(file_acl);
+					return(NULL);
+				}
+				acl_entry_link->nextp->prevp = acl_entry_link;
+				acl_entry_link = acl_entry_link->nextp;
+				acl_entry_link->entryp = SMB_MALLOC_P(struct new_acl_entry);
+				if(acl_entry_link->entryp == NULL) {
+					errno = ENOMEM;
+					DEBUG(0,("Error in sys_acl_get_fd is %d\n",errno));
+					SAFE_FREE(file_acl);
+					return(NULL);
+				}
+
+				acl_entry_link->nextp = NULL;
+			}
+
+			acl_entry_link->entryp->ace_len = acl_entry->ace_len;
+
+			/* Don't really need this since all types are going *
+			 * to be specified but, it's better than leaving it 0 */
+
+			acl_entry_link->entryp->ace_type = acl_entry->ace_type;
+			acl_entry_link->entryp->ace_access = acl_entry->ace_access;
+
+			memcpy(acl_entry_link->entryp->ace_id, idp, sizeof(struct ace_id));
+
+			/* The access in the acl entries must be left shifted by *
+			 * three bites, because they will ultimately be compared *
+			 * to S_IRUSR, S_IWUSR, and S_IXUSR.                  */
+
+			switch(acl_entry->ace_type){
+			case ACC_PERMIT:
+			case ACC_SPECIFY:
+				acl_entry_link->entryp->ace_access = acl_entry->ace_access;
+				acl_entry_link->entryp->ace_access <<= 6;
+				acl_entry_link_head->count++;
+				break;
+			case ACC_DENY:
+				/* Since there is no way to return a DENY acl entry *
+				 * change to PERMIT and then shift.                 */
+				DEBUG(10,("acl_entry->ace_access is %d\n",acl_entry->ace_access));
+				acl_entry_link->entryp->ace_access = ~acl_entry->ace_access & 7;
+				DEBUG(10,("acl_entry_link->entryp->ace_access is %d\n",acl_entry_link->entryp->ace_access));
+				acl_entry_link->entryp->ace_access <<= 6;
+				acl_entry_link_head->count++;
+				break;
+			default:
+				return(0);
+			}
+
+			DEBUG(10,("acl_entry = %d\n",acl_entry));
+			DEBUG(10,("The ace_type is %d\n",acl_entry->ace_type));
+ 
+			acl_entry = acl_nxt(acl_entry);
+		}
+	} /* end of if enabled */
+
+	/* Since owner, group, other acl entries are not *
+	 * part of the acl entries in an acl, they must  *
+	 * be dummied up to become part of the list.     */
+
+	for( i = 1; i < 4; i++) {
+		DEBUG(10,("i is %d\n",i));
+		if(acl_entry_link_head->count != 0){
+			acl_entry_link->nextp = SMB_MALLOC_P(struct acl_entry_link);
+			if(acl_entry_link->nextp == NULL) {
+				errno = ENOMEM;
+				DEBUG(0,("Error in sys_acl_get_fd is %d\n",errno));
+				SAFE_FREE(file_acl);
+				return(NULL);
+			}
+
+			acl_entry_link->nextp->prevp = acl_entry_link;
+			acl_entry_link = acl_entry_link->nextp;
+			acl_entry_link->entryp = SMB_MALLOC_P(struct new_acl_entry);
+
+			if(acl_entry_link->entryp == NULL) {
+				SAFE_FREE(file_acl);
+				errno = ENOMEM;
+				DEBUG(0,("Error in sys_acl_get_fd is %d\n",errno));
+				return(NULL);
+			}
+		}
+
+		acl_entry_link->nextp = NULL;
+ 
+		new_acl_entry = acl_entry_link->entryp;
+		idp = new_acl_entry->ace_id;
+ 
+		new_acl_entry->ace_len = sizeof(struct acl_entry);
+		new_acl_entry->ace_type = ACC_PERMIT;
+		idp->id_len = sizeof(struct ace_id);
+		DEBUG(10,("idp->id_len = %d\n",idp->id_len));
+		memset(idp->id_data,0,sizeof(uid_t));
+ 
+		switch(i) {
+		case 2:
+			new_acl_entry->ace_access = file_acl->g_access << 6;
+			idp->id_type = SMB_ACL_GROUP_OBJ;
+			break;
+ 
+		case 3:
+			new_acl_entry->ace_access = file_acl->o_access << 6;
+			idp->id_type = SMB_ACL_OTHER;
+			break;
+ 
+		case 1:
+			new_acl_entry->ace_access = file_acl->u_access << 6;
+			idp->id_type = SMB_ACL_USER_OBJ;
+			break;
+ 
+		default:
+			return(NULL);
+		}
+ 
+		acl_entry_link_head->count++;
+		DEBUG(10,("new_acl_entry->ace_access = %d\n",new_acl_entry->ace_access));
+	}
+
+	acl_entry_link_head->count = 0;
+	SAFE_FREE(file_acl);
+ 
+	return(acl_entry_link_head);
+}
+
+int sys_acl_clear_perms(SMB_ACL_PERMSET_T permset)
+{
+	*permset = *permset & ~0777;
+	return(0);
+}
+
+int sys_acl_add_perm( SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
+{
+	if((perm != 0) &&
+			(perm & (S_IXUSR | S_IWUSR | S_IRUSR)) == 0)
+		return(-1);
+
+	*permset |= perm;
+	DEBUG(10,("This is the permset now: %d\n",*permset));
+	return(0);
+}
+
+char *sys_acl_to_text( SMB_ACL_T theacl, ssize_t *plen)
+{
+	return(NULL);
+}
+
+SMB_ACL_T sys_acl_init( int count)
+{
+	struct acl_entry_link *theacl = NULL;
+ 
+	DEBUG(10,("Entering sys_acl_init\n"));
+
+	theacl = SMB_MALLOC_P(struct acl_entry_link);
+	if(theacl == NULL) {
+		errno = ENOMEM;
+		DEBUG(0,("Error in sys_acl_init is %d\n",errno));
+		return(NULL);
+	}
+
+	theacl->count = 0;
+	theacl->nextp = NULL;
+	theacl->prevp = NULL;
+	theacl->entryp = NULL;
+	DEBUG(10,("Exiting sys_acl_init\n"));
+	return(theacl);
+}
+
+int sys_acl_create_entry( SMB_ACL_T *pacl, SMB_ACL_ENTRY_T *pentry)
+{
+	struct acl_entry_link *theacl;
+	struct acl_entry_link *acl_entryp;
+	struct acl_entry_link *temp_entry;
+	int counting;
+
+	DEBUG(10,("Entering the sys_acl_create_entry\n"));
+
+	theacl = acl_entryp = *pacl;
+
+	/* Get to the end of the acl before adding entry */
+
+	for(counting=0; counting < theacl->count; counting++){
+		DEBUG(10,("The acl_entryp is %d\n",acl_entryp));
+		temp_entry = acl_entryp;
+		acl_entryp = acl_entryp->nextp;
+	}
+
+	if(theacl->count != 0){
+		temp_entry->nextp = acl_entryp = SMB_MALLOC_P(struct acl_entry_link);
+		if(acl_entryp == NULL) {
+			errno = ENOMEM;
+			DEBUG(0,("Error in sys_acl_create_entry is %d\n",errno));
+			return(-1);
+		}
+
+		DEBUG(10,("The acl_entryp is %d\n",acl_entryp));
+		acl_entryp->prevp = temp_entry;
+		DEBUG(10,("The acl_entryp->prevp is %d\n",acl_entryp->prevp));
+	}
+
+	*pentry = acl_entryp->entryp = SMB_MALLOC_P(struct new_acl_entry);
+	if(*pentry == NULL) {
+		errno = ENOMEM;
+		DEBUG(0,("Error in sys_acl_create_entry is %d\n",errno));
+		return(-1);
+	}
+
+	memset(*pentry,0,sizeof(struct new_acl_entry));
+	acl_entryp->entryp->ace_len = sizeof(struct acl_entry);
+	acl_entryp->entryp->ace_type = ACC_PERMIT;
+	acl_entryp->entryp->ace_id->id_len = sizeof(struct ace_id);
+	acl_entryp->nextp = NULL;
+	theacl->count++;
+	DEBUG(10,("Exiting sys_acl_create_entry\n"));
+	return(0);
+}
+
+int sys_acl_set_tag_type( SMB_ACL_ENTRY_T entry, SMB_ACL_TAG_T tagtype)
+{
+	DEBUG(10,("Starting AIX sys_acl_set_tag_type\n"));
+	entry->ace_id->id_type = tagtype;
+	DEBUG(10,("The tag type is %d\n",entry->ace_id->id_type));
+	DEBUG(10,("Ending AIX sys_acl_set_tag_type\n"));
+}
+
+int sys_acl_set_qualifier( SMB_ACL_ENTRY_T entry, void *qual)
+{
+	DEBUG(10,("Starting AIX sys_acl_set_qualifier\n"));
+	memcpy(entry->ace_id->id_data,qual,sizeof(uid_t));
+	DEBUG(10,("Ending AIX sys_acl_set_qualifier\n"));
+	return(0);
+}
+
+int sys_acl_set_permset( SMB_ACL_ENTRY_T entry, SMB_ACL_PERMSET_T permset)
+{
+	DEBUG(10,("Starting AIX sys_acl_set_permset\n"));
+	if(!(*permset & S_IXUSR) &&
+		!(*permset & S_IWUSR) &&
+		!(*permset & S_IRUSR) &&
+		(*permset != 0))
+			return(-1);
+
+	entry->ace_access = *permset;
+	DEBUG(10,("entry->ace_access = %d\n",entry->ace_access));
+	DEBUG(10,("Ending AIX sys_acl_set_permset\n"));
+	return(0);
+}
+
+int sys_acl_valid( SMB_ACL_T theacl )
+{
+	int user_obj = 0;
+	int group_obj = 0;
+	int other_obj = 0;
+	struct acl_entry_link *acl_entry;
+
+	for(acl_entry=theacl; acl_entry != NULL; acl_entry = acl_entry->nextp) {
+		user_obj += (acl_entry->entryp->ace_id->id_type == SMB_ACL_USER_OBJ);
+		group_obj += (acl_entry->entryp->ace_id->id_type == SMB_ACL_GROUP_OBJ);
+		other_obj += (acl_entry->entryp->ace_id->id_type == SMB_ACL_OTHER);
+	}
+
+	DEBUG(10,("user_obj=%d, group_obj=%d, other_obj=%d\n",user_obj,group_obj,other_obj));
+ 
+	if(user_obj != 1 || group_obj != 1 || other_obj != 1)
+		return(-1); 
+
+	return(0);
+}
+
+int sys_acl_set_file( const char *name, SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl)
+{
+	struct acl_entry_link *acl_entry_link = NULL;
+	struct acl *file_acl = NULL;
+	struct acl *file_acl_temp = NULL;
+	struct acl_entry *acl_entry = NULL;
+	struct ace_id *ace_id = NULL;
+	uint id_type;
+	uint ace_access;
+	uint user_id;
+	uint acl_length;
+	uint rc;
+
+	DEBUG(10,("Entering sys_acl_set_file\n"));
+	DEBUG(10,("File name is %s\n",name));
+ 
+	/* AIX has no default ACL */
+	if(acltype == SMB_ACL_TYPE_DEFAULT)
+		return(0);
+
+	acl_length = BUFSIZ;
+	file_acl = (struct acl *)SMB_MALLOC(BUFSIZ);
+
+	if(file_acl == NULL) {
+		errno = ENOMEM;
+		DEBUG(0,("Error in sys_acl_set_file is %d\n",errno));
+		return(-1);
+	}
+
+	memset(file_acl,0,BUFSIZ);
+
+	file_acl->acl_len = ACL_SIZ;
+	file_acl->acl_mode = S_IXACL;
+
+	for(acl_entry_link=theacl; acl_entry_link != NULL; acl_entry_link = acl_entry_link->nextp) {
+		acl_entry_link->entryp->ace_access >>= 6;
+		id_type = acl_entry_link->entryp->ace_id->id_type;
+
+		switch(id_type) {
+		case SMB_ACL_USER_OBJ:
+			file_acl->u_access = acl_entry_link->entryp->ace_access;
+			continue;
+		case SMB_ACL_GROUP_OBJ:
+			file_acl->g_access = acl_entry_link->entryp->ace_access;
+			continue;
+		case SMB_ACL_OTHER:
+			file_acl->o_access = acl_entry_link->entryp->ace_access;
+			continue;
+		case SMB_ACL_MASK:
+			continue;
+		}
+
+		if((file_acl->acl_len + sizeof(struct acl_entry)) > acl_length) {
+			acl_length += sizeof(struct acl_entry);
+			file_acl_temp = (struct acl *)SMB_MALLOC(acl_length);
+			if(file_acl_temp == NULL) {
+				SAFE_FREE(file_acl);
+				errno = ENOMEM;
+				DEBUG(0,("Error in sys_acl_set_file is %d\n",errno));
+				return(-1);
+			}  
+
+			memcpy(file_acl_temp,file_acl,file_acl->acl_len);
+			SAFE_FREE(file_acl);
+			file_acl = file_acl_temp;
+		}
+
+		acl_entry = (struct acl_entry *)((char *)file_acl + file_acl->acl_len);
+		file_acl->acl_len += sizeof(struct acl_entry);
+		acl_entry->ace_len = acl_entry_link->entryp->ace_len;
+		acl_entry->ace_access = acl_entry_link->entryp->ace_access;
+ 
+		/* In order to use this, we'll need to wait until we can get denies */
+		/* if(!acl_entry->ace_access && acl_entry->ace_type == ACC_PERMIT)
+		acl_entry->ace_type = ACC_SPECIFY; */
+
+		acl_entry->ace_type = ACC_SPECIFY;
+ 
+		ace_id = acl_entry->ace_id;
+ 
+		ace_id->id_type = acl_entry_link->entryp->ace_id->id_type;
+		DEBUG(10,("The id type is %d\n",ace_id->id_type));
+		ace_id->id_len = acl_entry_link->entryp->ace_id->id_len;
+		memcpy(&user_id, acl_entry_link->entryp->ace_id->id_data, sizeof(uid_t));
+		memcpy(acl_entry->ace_id->id_data, &user_id, sizeof(uid_t));
+	}
+
+	rc = chacl(name,file_acl,file_acl->acl_len);
+	DEBUG(10,("errno is %d\n",errno));
+	DEBUG(10,("return code is %d\n",rc));
+	SAFE_FREE(file_acl);
+	DEBUG(10,("Exiting the sys_acl_set_file\n"));
+	return(rc);
+}
+
+int sys_acl_set_fd( int fd, SMB_ACL_T theacl)
+{
+	struct acl_entry_link *acl_entry_link = NULL;
+	struct acl *file_acl = NULL;
+	struct acl *file_acl_temp = NULL;
+	struct acl_entry *acl_entry = NULL;
+	struct ace_id *ace_id = NULL;
+	uint id_type;
+	uint user_id;
+	uint acl_length;
+	uint rc;
+ 
+	DEBUG(10,("Entering sys_acl_set_fd\n"));
+	acl_length = BUFSIZ;
+	file_acl = (struct acl *)SMB_MALLOC(BUFSIZ);
+
+	if(file_acl == NULL) {
+		errno = ENOMEM;
+		DEBUG(0,("Error in sys_acl_set_fd is %d\n",errno));
+		return(-1);
+	}
+
+	memset(file_acl,0,BUFSIZ);
+ 
+	file_acl->acl_len = ACL_SIZ;
+	file_acl->acl_mode = S_IXACL;
+
+	for(acl_entry_link=theacl; acl_entry_link != NULL; acl_entry_link = acl_entry_link->nextp) {
+		acl_entry_link->entryp->ace_access >>= 6;
+		id_type = acl_entry_link->entryp->ace_id->id_type;
+		DEBUG(10,("The id_type is %d\n",id_type));
+
+		switch(id_type) {
+		case SMB_ACL_USER_OBJ:
+			file_acl->u_access = acl_entry_link->entryp->ace_access;
+			continue;
+		case SMB_ACL_GROUP_OBJ:
+			file_acl->g_access = acl_entry_link->entryp->ace_access;
+			continue;
+		case SMB_ACL_OTHER:
+			file_acl->o_access = acl_entry_link->entryp->ace_access;
+			continue;
+		case SMB_ACL_MASK:
+			continue;
+		}
+
+		if((file_acl->acl_len + sizeof(struct acl_entry)) > acl_length) {
+			acl_length += sizeof(struct acl_entry);
+			file_acl_temp = (struct acl *)SMB_MALLOC(acl_length);
+			if(file_acl_temp == NULL) {
+				SAFE_FREE(file_acl);
+				errno = ENOMEM;
+				DEBUG(0,("Error in sys_acl_set_fd is %d\n",errno));
+				return(-1);
+			}
+
+			memcpy(file_acl_temp,file_acl,file_acl->acl_len);
+			SAFE_FREE(file_acl);
+			file_acl = file_acl_temp;
+		}
+
+		acl_entry = (struct acl_entry *)((char *)file_acl + file_acl->acl_len);
+		file_acl->acl_len += sizeof(struct acl_entry);
+		acl_entry->ace_len = acl_entry_link->entryp->ace_len;
+		acl_entry->ace_access = acl_entry_link->entryp->ace_access;
+ 
+		/* In order to use this, we'll need to wait until we can get denies */
+		/* if(!acl_entry->ace_access && acl_entry->ace_type == ACC_PERMIT)
+			acl_entry->ace_type = ACC_SPECIFY; */
+ 
+		acl_entry->ace_type = ACC_SPECIFY;
+ 
+		ace_id = acl_entry->ace_id;
+ 
+		ace_id->id_type = acl_entry_link->entryp->ace_id->id_type;
+		DEBUG(10,("The id type is %d\n",ace_id->id_type));
+		ace_id->id_len = acl_entry_link->entryp->ace_id->id_len;
+		memcpy(&user_id, acl_entry_link->entryp->ace_id->id_data, sizeof(uid_t));
+		memcpy(ace_id->id_data, &user_id, sizeof(uid_t));
+	}
+ 
+	rc = fchacl(fd,file_acl,file_acl->acl_len);
+	DEBUG(10,("errno is %d\n",errno));
+	DEBUG(10,("return code is %d\n",rc));
+	SAFE_FREE(file_acl);
+	DEBUG(10,("Exiting sys_acl_set_fd\n"));
+	return(rc);
+}
+
+int sys_acl_delete_def_file(const char *name)
+{
+	/* AIX has no default ACL */
+	return 0;
+}
+
+int sys_acl_get_perm( SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
+{
+	return(*permset & perm);
+}
+
+int sys_acl_free_text(char *text)
+{
+	return(0);
+}
+
+int sys_acl_free_acl(SMB_ACL_T posix_acl)
+{
+	struct acl_entry_link *acl_entry_link;
+
+	for(acl_entry_link = posix_acl->nextp; acl_entry_link->nextp != NULL; acl_entry_link = acl_entry_link->nextp) {
+		SAFE_FREE(acl_entry_link->prevp->entryp);
+		SAFE_FREE(acl_entry_link->prevp);
+	}
+
+	SAFE_FREE(acl_entry_link->prevp->entryp);
+	SAFE_FREE(acl_entry_link->prevp);
+	SAFE_FREE(acl_entry_link->entryp);
+	SAFE_FREE(acl_entry_link);
+ 
+	return(0);
+}
+
+int sys_acl_free_qualifier(void *qual, SMB_ACL_TAG_T tagtype)
+{
+	return(0);
+}
+
+#else /* No ACLs. */
+
+int sys_acl_get_entry(UNUSED(SMB_ACL_T the_acl), UNUSED(int entry_id), UNUSED(SMB_ACL_ENTRY_T *entry_p))
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+int sys_acl_get_tag_type(UNUSED(SMB_ACL_ENTRY_T entry_d), UNUSED(SMB_ACL_TAG_T *tag_type_p))
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+int sys_acl_get_permset(UNUSED(SMB_ACL_ENTRY_T entry_d), UNUSED(SMB_ACL_PERMSET_T *permset_p))
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+void *sys_acl_get_qualifier(UNUSED(SMB_ACL_ENTRY_T entry_d))
+{
+	errno = ENOSYS;
+	return NULL;
+}
+
+SMB_ACL_T sys_acl_get_file(UNUSED(const char *path_p), UNUSED(SMB_ACL_TYPE_T type))
+{
+	errno = ENOSYS;
+	return (SMB_ACL_T)NULL;
+}
+
+SMB_ACL_T sys_acl_get_fd(UNUSED(int fd))
+{
+	errno = ENOSYS;
+	return (SMB_ACL_T)NULL;
+}
+
+int sys_acl_clear_perms(UNUSED(SMB_ACL_PERMSET_T permset))
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+int sys_acl_add_perm( UNUSED(SMB_ACL_PERMSET_T permset), UNUSED(SMB_ACL_PERM_T perm))
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+int sys_acl_get_perm( SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
+{
+	errno = ENOSYS;
+	return (permset & perm) ? 1 : 0;
+}
+
+char *sys_acl_to_text(UNUSED(SMB_ACL_T the_acl), UNUSED(ssize_t *plen))
+{
+	errno = ENOSYS;
+	return NULL;
+}
+
+int sys_acl_free_text(UNUSED(char *text))
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+SMB_ACL_T sys_acl_init(UNUSED(int count))
+{
+	errno = ENOSYS;
+	return NULL;
+}
+
+int sys_acl_create_entry(UNUSED(SMB_ACL_T *pacl), UNUSED(SMB_ACL_ENTRY_T *pentry))
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+int sys_acl_set_tag_type(UNUSED(SMB_ACL_ENTRY_T entry), UNUSED(SMB_ACL_TAG_T tagtype))
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+int sys_acl_set_qualifier(UNUSED(SMB_ACL_ENTRY_T entry), UNUSED(void *qual))
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+int sys_acl_set_permset(UNUSED(SMB_ACL_ENTRY_T entry), UNUSED(SMB_ACL_PERMSET_T permset))
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+int sys_acl_valid(UNUSED(SMB_ACL_T theacl))
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+int sys_acl_set_file(UNUSED(const char *name), UNUSED(SMB_ACL_TYPE_T acltype), UNUSED(SMB_ACL_T theacl))
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+int sys_acl_set_fd(UNUSED(int fd), UNUSED(SMB_ACL_T theacl))
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+int sys_acl_delete_def_file(UNUSED(const char *name))
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+int sys_acl_free_acl(UNUSED(SMB_ACL_T the_acl))
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+int sys_acl_free_qualifier(UNUSED(void *qual), UNUSED(SMB_ACL_TAG_T tagtype))
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+#endif /* No ACLs. */
+
+/************************************************************************
+ Deliberately outside the ACL defines. Return 1 if this is a "no acls"
+ errno, 0 if not.
+************************************************************************/
+
+int no_acl_syscall_error(int err)
+{
+#if defined(ENOSYS)
+	if (err == ENOSYS) {
+		return 1;
+	}
+#endif
+#if defined(ENOTSUP)
+	if (err == ENOTSUP) {
+		return 1;
+	}
+#endif
+	return 0;
+}
+
+#endif /* SUPPORT_ACLS */
--- old/lib/sysacls.h
+++ new/lib/sysacls.h
@@ -0,0 +1,40 @@
+#ifdef SUPPORT_ACLS
+
+#ifdef HAVE_SYS_ACL_H
+#include <sys/acl.h>
+#endif
+#ifdef HAVE_ACL_LIBACL_H
+#include <acl/libacl.h>
+#endif
+#include "smb_acls.h"
+
+#define SMB_MALLOC(cnt) new_array(char, cnt)
+#define SMB_MALLOC_P(obj) new_array(obj, 1)
+#define SMB_MALLOC_ARRAY(obj, cnt) new_array(obj, cnt)
+#define SMB_REALLOC(mem, cnt) realloc_array(mem, char, cnt)
+#define slprintf snprintf
+
+int sys_acl_get_entry(SMB_ACL_T the_acl, int entry_id, SMB_ACL_ENTRY_T *entry_p);
+int sys_acl_get_tag_type(SMB_ACL_ENTRY_T entry_d, SMB_ACL_TAG_T *tag_type_p);
+int sys_acl_get_permset(SMB_ACL_ENTRY_T entry_d, SMB_ACL_PERMSET_T *permset_p);
+void *sys_acl_get_qualifier(SMB_ACL_ENTRY_T entry_d);
+SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type);
+SMB_ACL_T sys_acl_get_fd(int fd);
+int sys_acl_clear_perms(SMB_ACL_PERMSET_T permset);
+int sys_acl_add_perm(SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm);
+int sys_acl_get_perm(SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm);
+char *sys_acl_to_text(SMB_ACL_T the_acl, ssize_t *plen);
+SMB_ACL_T sys_acl_init(int count);
+int sys_acl_create_entry(SMB_ACL_T *pacl, SMB_ACL_ENTRY_T *pentry);
+int sys_acl_set_tag_type(SMB_ACL_ENTRY_T entry, SMB_ACL_TAG_T tagtype);
+int sys_acl_set_qualifier(SMB_ACL_ENTRY_T entry, void *qual);
+int sys_acl_set_permset(SMB_ACL_ENTRY_T entry, SMB_ACL_PERMSET_T permset);
+int sys_acl_valid(SMB_ACL_T theacl);
+int sys_acl_set_file(const char *name, SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl);
+int sys_acl_set_fd(int fd, SMB_ACL_T theacl);
+int sys_acl_delete_def_file(const char *name);
+int sys_acl_free_text(char *text);
+int sys_acl_free_acl(SMB_ACL_T the_acl);
+int sys_acl_free_qualifier(void *qual, SMB_ACL_TAG_T tagtype);
+
+#endif /* SUPPORT_ACLS */
--- old/log.c
+++ new/log.c
@@ -606,8 +606,10 @@ static void log_formatted(enum logcode c
 			n[5] = !(iflags & ITEM_REPORT_PERMS) ? '.' : 'p';
 			n[6] = !(iflags & ITEM_REPORT_OWNER) ? '.' : 'o';
 			n[7] = !(iflags & ITEM_REPORT_GROUP) ? '.' : 'g';
-			n[8] = '.';
-			n[9] = '\0';
+			n[8] = !(iflags & ITEM_REPORT_ATIME) ? '.' : 'u';
+			n[9] = !(iflags & ITEM_REPORT_ACL) ? '.' : 'a';
+			n[10] = !(iflags & ITEM_REPORT_XATTR) ? '.' : 'x';
+			n[11] = '\0';
 
 			if (iflags & (ITEM_IS_NEW|ITEM_MISSING_DATA)) {
 				char ch = iflags & ITEM_IS_NEW ? '+' : '?';
--- old/options.c
+++ new/options.c
@@ -47,6 +47,7 @@ int copy_dirlinks = 0;
 int copy_links = 0;
 int preserve_links = 0;
 int preserve_hard_links = 0;
+int preserve_acls = 0;
 int preserve_perms = 0;
 int preserve_executability = 0;
 int preserve_devices = 0;
@@ -199,6 +200,7 @@ static void print_rsync_version(enum log
 	char const *got_socketpair = "no ";
 	char const *have_inplace = "no ";
 	char const *hardlinks = "no ";
+	char const *acls = "no ";
 	char const *links = "no ";
 	char const *ipv6 = "no ";
 	STRUCT_STAT *dumstat;
@@ -215,6 +217,10 @@ static void print_rsync_version(enum log
 	hardlinks = "";
 #endif
 
+#ifdef SUPPORT_ACLS
+	acls = "";
+#endif
+
 #ifdef SUPPORT_LINKS
 	links = "";
 #endif
@@ -227,17 +233,16 @@ static void print_rsync_version(enum log
 		RSYNC_NAME, RSYNC_VERSION, PROTOCOL_VERSION);
 	rprintf(f, "Copyright (C) 1996-2006 by Andrew Tridgell, Wayne Davison, and others.\n");
 	rprintf(f, "<http://rsync.samba.org/>\n");
-	rprintf(f, "Capabilities: %d-bit files, %ssocketpairs, "
-		"%shard links, %ssymlinks, batchfiles,\n",
-		(int) (sizeof (OFF_T) * 8),
-		got_socketpair, hardlinks, links);
+	rprintf(f, "Capabilities: %d-bit files, %ssocketpairs, %shard links, %ssymlinks,\n",
+		(int) (sizeof (OFF_T) * 8), got_socketpair, hardlinks, links);
+
+	rprintf(f, "              batchfiles, %sinplace, %sIPv6, %sACLs,\n",
+		have_inplace, ipv6, acls);
 
 	/* Note that this field may not have type ino_t.  It depends
 	 * on the complicated interaction between largefile feature
 	 * macros. */
-	rprintf(f, "              %sinplace, %sIPv6, "
-		"%d-bit system inums, %d-bit internal inums\n",
-		have_inplace, ipv6,
+	rprintf(f, "              %d-bit system inums, %d-bit internal inums\n",
 		(int) (sizeof dumstat->st_ino * 8),
 		(int) (sizeof (int64) * 8));
 #ifdef MAINTAINER_MODE
@@ -284,7 +289,7 @@ void usage(enum logcode F)
   rprintf(F," -q, --quiet                 suppress non-error messages\n");
   rprintf(F,"     --no-motd               suppress daemon-mode MOTD (see manpage caveat)\n");
   rprintf(F," -c, --checksum              skip based on checksum, not mod-time & size\n");
-  rprintf(F," -a, --archive               archive mode; same as -rlptgoD (no -H)\n");
+  rprintf(F," -a, --archive               archive mode; same as -rlptgoD (no -H, -A)\n");
   rprintf(F,"     --no-OPTION             turn off an implied OPTION (e.g. --no-D)\n");
   rprintf(F," -r, --recursive             recurse into directories\n");
   rprintf(F," -R, --relative              use relative path names\n");
@@ -306,6 +311,9 @@ void usage(enum logcode F)
   rprintf(F," -p, --perms                 preserve permissions\n");
   rprintf(F," -E, --executability         preserve the file's executability\n");
   rprintf(F,"     --chmod=CHMOD           affect file and/or directory permissions\n");
+#ifdef SUPPORT_ACLS
+  rprintf(F," -A, --acls                  preserve ACLs (implies --perms)\n");
+#endif
   rprintf(F," -o, --owner                 preserve owner (super-user only)\n");
   rprintf(F," -g, --group                 preserve group\n");
   rprintf(F,"     --devices               preserve device files (super-user only)\n");
@@ -425,6 +433,9 @@ static struct poptOption long_options[] 
   {"no-perms",         0,  POPT_ARG_VAL,    &preserve_perms, 0, 0, 0 },
   {"no-p",             0,  POPT_ARG_VAL,    &preserve_perms, 0, 0, 0 },
   {"executability",   'E', POPT_ARG_NONE,   &preserve_executability, 0, 0, 0 },
+  {"acls",            'A', POPT_ARG_NONE,   0, 'A', 0, 0 },
+  {"no-acls",          0,  POPT_ARG_VAL,    &preserve_acls, 0, 0, 0 },
+  {"no-A",             0,  POPT_ARG_VAL,    &preserve_acls, 0, 0, 0 },
   {"times",           't', POPT_ARG_VAL,    &preserve_times, 1, 0, 0 },
   {"no-times",         0,  POPT_ARG_VAL,    &preserve_times, 0, 0, 0 },
   {"no-t",             0,  POPT_ARG_VAL,    &preserve_times, 0, 0, 0 },
@@ -1089,6 +1100,24 @@ int parse_arguments(int *argc, const cha
 			usage(FINFO);
 			exit_cleanup(0);
 
+		case 'A':
+#ifdef SUPPORT_ACLS
+			preserve_acls++;
+			preserve_perms = 1;
+			break;
+#else
+			/* FIXME: this should probably be ignored with a
+ 			 * warning and then countermeasures taken to
+ 			 * restrict group and other access in the presence
+ 			 * of any more restrictive ACLs, but this is safe
+			 * for now */
+			snprintf(err_buf,sizeof(err_buf),
+                                 "ACLs are not supported on this %s\n",
+				 am_server ? "server" : "client");
+			return 0;
+#endif
+
+
 		default:
 			/* A large opt value means that set_refuse_options()
 			 * turned this option off. */
@@ -1530,6 +1559,10 @@ void server_options(char **args,int *arg
 
 	if (preserve_hard_links)
 		argstr[x++] = 'H';
+#ifdef SUPPORT_ACLS
+	if (preserve_acls)
+		argstr[x++] = 'A';
+#endif
 	if (preserve_uid)
 		argstr[x++] = 'o';
 	if (preserve_gid)
--- old/receiver.c
+++ new/receiver.c
@@ -47,6 +47,7 @@ extern int keep_partial;
 extern int checksum_seed;
 extern int inplace;
 extern int delay_updates;
+extern mode_t orig_umask;
 extern struct stats stats;
 extern char *stdout_format;
 extern char *tmpdir;
@@ -350,6 +351,10 @@ int recv_files(int f_in, struct file_lis
 	int itemizing = am_server ? logfile_format_has_i : stdout_format_has_i;
 	enum logcode log_code = log_before_transfer ? FLOG : FINFO;
 	int max_phase = protocol_version >= 29 ? 2 : 1;
+	int dflt_perms = (ACCESSPERMS & ~orig_umask);
+#ifdef SUPPORT_ACLS
+	char *parent_dirname = "";
+#endif
 	int i, recv_ok;
 
 	if (verbose > 2)
@@ -553,7 +558,16 @@ int recv_files(int f_in, struct file_lis
 		 * mode based on the local permissions and some heuristics. */
 		if (!preserve_perms) {
 			int exists = fd1 != -1;
-			file->mode = dest_mode(file->mode, st.st_mode, exists);
+#ifdef SUPPORT_ACLS
+			char *dn = file->dirname ? file->dirname : ".";
+			if (parent_dirname != dn
+			 && strcmp(parent_dirname, dn) != 0) {
+				dflt_perms = default_perms_for_dir(dn);
+				parent_dirname = dn;
+			}
+#endif
+			file->mode = dest_mode(file->mode, st.st_mode,
+					       dflt_perms, exists);
 		}
 
 		/* We now check to see if we are writing the file "inplace" */
--- old/rsync.c
+++ new/rsync.c
@@ -32,6 +32,7 @@
 
 extern int verbose;
 extern int dry_run;
+extern int preserve_acls;
 extern int preserve_perms;
 extern int preserve_executability;
 extern int preserve_times;
@@ -47,7 +48,6 @@ extern int preserve_gid;
 extern int inplace;
 extern int keep_dirlinks;
 extern int make_backups;
-extern mode_t orig_umask;
 extern struct stats stats;
 extern struct chmod_mode_struct *daemon_chmod_modes;
 
@@ -100,7 +100,8 @@ void free_sums(struct sum_struct *s)
 
 /* This is only called when we aren't preserving permissions.  Figure out what
  * the permissions should be and return them merged back into the mode. */
-mode_t dest_mode(mode_t flist_mode, mode_t stat_mode, int exists)
+mode_t dest_mode(mode_t flist_mode, mode_t stat_mode, int dflt_perms,
+		 int exists)
 {
 	int new_mode;
 	/* If the file already exists, we'll return the local permissions,
@@ -117,56 +118,65 @@ mode_t dest_mode(mode_t flist_mode, mode
 				new_mode |= (new_mode & 0444) >> 2;
 		}
 	} else {
-		/* Apply the umask and turn off special permissions. */
-		new_mode = flist_mode & (~CHMOD_BITS | (ACCESSPERMS & ~orig_umask));
+		/* Apply destination default permissions and turn
+		 * off special permissions. */
+		new_mode = flist_mode & (~CHMOD_BITS | dflt_perms);
 	}
 	return new_mode;
 }
 
-int set_file_attrs(char *fname, struct file_struct *file, STRUCT_STAT *st,
+int set_file_attrs(char *fname, struct file_struct *file, statx *sxp,
 		   int flags)
 {
 	int updated = 0;
-	STRUCT_STAT st2;
+	statx sx2;
 	int change_uid, change_gid;
 	mode_t new_mode = file->mode;
 
-	if (!st) {
+	if (!sxp) {
 		if (dry_run)
 			return 1;
-		if (link_stat(fname, &st2, 0) < 0) {
+		if (link_stat(fname, &sx2.st, 0) < 0) {
 			rsyserr(FERROR, errno, "stat %s failed",
 				full_fname(fname));
 			return 0;
 		}
-		st = &st2;
+#ifdef SUPPORT_ACLS
+		sx2.acc_acl = sx2.def_acl = NULL;
+#endif
 		if (!preserve_perms && S_ISDIR(new_mode)
-		 && st->st_mode & S_ISGID) {
+		 && sx2.st.st_mode & S_ISGID) {
 			/* We just created this directory and its setgid
 			 * bit is on, so make sure it stays on. */
 			new_mode |= S_ISGID;
 		}
+		sxp = &sx2;
 	}
 
-	if (!preserve_times || (S_ISDIR(st->st_mode) && omit_dir_times))
+#ifdef SUPPORT_ACLS
+	if (preserve_acls && !ACL_READY(*sxp))
+		get_acl(fname, sxp);
+#endif
+
+	if (!preserve_times || (S_ISDIR(sxp->st.st_mode) && omit_dir_times))
 		flags |= ATTRS_SKIP_MTIME;
 	if (!(flags & ATTRS_SKIP_MTIME)
-	    && cmp_time(st->st_mtime, file->modtime) != 0) {
-		int ret = set_modtime(fname, file->modtime, st->st_mode);
+	    && cmp_time(sxp->st.st_mtime, file->modtime) != 0) {
+		int ret = set_modtime(fname, file->modtime, sxp->st.st_mode);
 		if (ret < 0) {
 			rsyserr(FERROR, errno, "failed to set times on %s",
 				full_fname(fname));
-			return 0;
+			goto cleanup;
 		}
 		if (ret == 0) /* ret == 1 if symlink could not be set */
 			updated = 1;
 	}
 
-	change_uid = am_root && preserve_uid && st->st_uid != file->uid;
+	change_uid = am_root && preserve_uid && sxp->st.st_uid != file->uid;
 	change_gid = preserve_gid && file->gid != GID_NONE
-		&& st->st_gid != file->gid;
+		&& sxp->st.st_gid != file->gid;
 #if !defined HAVE_LCHOWN && !defined CHOWN_MODIFIES_SYMLINK
-	if (S_ISLNK(st->st_mode))
+	if (S_ISLNK(sxp->st.st_mode))
 		;
 	else
 #endif
@@ -176,45 +186,57 @@ int set_file_attrs(char *fname, struct f
 				rprintf(FINFO,
 					"set uid of %s from %ld to %ld\n",
 					fname,
-					(long)st->st_uid, (long)file->uid);
+					(long)sxp->st.st_uid, (long)file->uid);
 			}
 			if (change_gid) {
 				rprintf(FINFO,
 					"set gid of %s from %ld to %ld\n",
 					fname,
-					(long)st->st_gid, (long)file->gid);
+					(long)sxp->st.st_gid, (long)file->gid);
 			}
 		}
 		if (do_lchown(fname,
-		    change_uid ? file->uid : st->st_uid,
-		    change_gid ? file->gid : st->st_gid) != 0) {
+		    change_uid ? file->uid : sxp->st.st_uid,
+		    change_gid ? file->gid : sxp->st.st_gid) != 0) {
 			/* shouldn't have attempted to change uid or gid
 			 * unless have the privilege */
 			rsyserr(FERROR, errno, "%s %s failed",
 			    change_uid ? "chown" : "chgrp",
 			    full_fname(fname));
-			return 0;
+			goto cleanup;
 		}
 		/* a lchown had been done - we have to re-stat if the
 		 * destination had the setuid or setgid bits set due
 		 * to the side effect of the chown call */
-		if (st->st_mode & (S_ISUID | S_ISGID)) {
-			link_stat(fname, st,
-				  keep_dirlinks && S_ISDIR(st->st_mode));
+		if (sxp->st.st_mode & (S_ISUID | S_ISGID)) {
+			link_stat(fname, &sxp->st,
+				  keep_dirlinks && S_ISDIR(sxp->st.st_mode));
 		}
 		updated = 1;
 	}
 
 	if (daemon_chmod_modes && !S_ISLNK(new_mode))
 		new_mode = tweak_mode(new_mode, daemon_chmod_modes);
+
+#ifdef SUPPORT_ACLS
+	/* It's OK to call set_acl() now, even for a dir, as the generator
+	 * will enable owner-writability using chmod, if necessary.
+	 * 
+	 * If set_acl() changes permission bits in the process of setting
+	 * an access ACL, it changes sxp->st.st_mode so we know whether we
+	 * need to chmod(). */
+	if (preserve_acls && set_acl(fname, file, sxp) == 0)
+		updated = 1;
+#endif
+
 #ifdef HAVE_CHMOD
-	if ((st->st_mode & CHMOD_BITS) != (new_mode & CHMOD_BITS)) {
+	if ((sxp->st.st_mode & CHMOD_BITS) != (new_mode & CHMOD_BITS)) {
 		int ret = do_chmod(fname, new_mode);
 		if (ret < 0) {
 			rsyserr(FERROR, errno,
 				"failed to set permissions on %s",
 				full_fname(fname));
-			return 0;
+			goto cleanup;
 		}
 		if (ret == 0) /* ret == 1 if symlink could not be set */
 			updated = 1;
@@ -227,6 +249,11 @@ int set_file_attrs(char *fname, struct f
 		else
 			rprintf(FCLIENT, "%s is uptodate\n", fname);
 	}
+  cleanup:
+#ifdef SUPPORT_ACLS
+	if (preserve_acls && sxp == &sx2)
+		free_acl(&sx2);
+#endif
 	return updated;
 }
 
--- old/rsync.h
+++ new/rsync.h
@@ -492,6 +492,14 @@ struct idev {
 #define IN_LOOPBACKNET 127
 #endif
 
+#ifndef HAVE_NO_ACLS
+#define SUPPORT_ACLS 1
+#endif
+
+#if HAVE_UNIXWARE_ACLS|HAVE_SOLARIS_ACLS|HAVE_HPUX_ACLS
+#define ACLS_NEED_MASK 1
+#endif
+
 #define GID_NONE ((gid_t)-1)
 
 #define HL_CHECK_MASTER	0
@@ -653,6 +661,17 @@ struct stats {
 
 struct chmod_mode_struct;
 
+#define EMPTY_ITEM_LIST {NULL, 0, 0}
+
+typedef struct {
+	void *items;
+	size_t count;
+	size_t malloced;
+} item_list;
+
+#define EXPAND_ITEM_LIST(lp, type, incr) \
+	(type*)expand_item_list(lp, sizeof (type), #type, incr)
+
 #include "byteorder.h"
 #include "lib/mdfour.h"
 #include "lib/wildmatch.h"
@@ -669,6 +688,16 @@ struct chmod_mode_struct;
 #define UNUSED(x) x __attribute__((__unused__))
 #define NORETURN __attribute__((__noreturn__))
 
+typedef struct {
+    STRUCT_STAT st;
+#ifdef SUPPORT_ACLS
+    struct rsync_acl *acc_acl; /* access ACL */
+    struct rsync_acl *def_acl; /* default ACL */
+#endif
+} statx;
+
+#define ACL_READY(sx) ((sx).acc_acl != NULL)
+
 #include "proto.h"
 
 /* We have replacement versions of these if they're missing. */
--- old/rsync.yo
+++ new/rsync.yo
@@ -301,7 +301,7 @@ to the detailed description below for a 
  -q, --quiet                 suppress non-error messages
      --no-motd               suppress daemon-mode MOTD (see caveat)
  -c, --checksum              skip based on checksum, not mod-time & size
- -a, --archive               archive mode; same as -rlptgoD (no -H)
+ -a, --archive               archive mode; same as -rlptgoD (no -H, -A)
      --no-OPTION             turn off an implied OPTION (e.g. --no-D)
  -r, --recursive             recurse into directories
  -R, --relative              use relative path names
@@ -323,6 +323,7 @@ to the detailed description below for a 
  -p, --perms                 preserve permissions
  -E, --executability         preserve executability
      --chmod=CHMOD           affect file and/or directory permissions
+ -A, --acls                  preserve ACLs (implies -p) [non-standard]
  -o, --owner                 preserve owner (super-user only)
  -g, --group                 preserve group
      --devices               preserve device files (super-user only)
@@ -753,7 +754,9 @@ quote(itemization(
   permissions, though the bf(--executability) option might change just
   the execute permission for the file.
   it() New files get their "normal" permission bits set to the source
-  file's permissions masked with the receiving end's umask setting, and
+  file's permissions masked with the receiving directory's default
+  permissions (either the receiving process's umask, or the permissions
+  specified via the destination directory's default ACL), and
   their special permission bits disabled except in the case where a new
   directory inherits a setgid bit from its parent directory.
 ))
@@ -784,9 +787,11 @@ The preservation of the destination's se
 directories when bf(--perms) is off was added in rsync 2.6.7.  Older rsync
 versions erroneously preserved the three special permission bits for
 newly-created files when bf(--perms) was off, while overriding the
-destination's setgid bit setting on a newly-created directory.  (Keep in
-mind that it is the version of the receiving rsync that affects this
-behavior.)
+destination's setgid bit setting on a newly-created directory.  Default ACL
+observance was added to the ACL patch for rsync 2.6.7, so older (or
+non-ACL-enabled) rsyncs use the umask even if default ACLs are present.
+(Keep in mind that it is the version of the receiving rsync that affects
+these behaviors.)
 
 dit(bf(-E, --executability)) This option causes rsync to preserve the
 executability (or non-executability) of regular files when bf(--perms) is
@@ -804,6 +809,15 @@ quote(itemization(
 
 If bf(--perms) is enabled, this option is ignored.
 
+dit(bf(-A, --acls)) This option causes rsync to update the destination
+ACLs to be the same as the source ACLs.  This nonstandard option only
+works if the remote rsync also supports it.  bf(--acls) implies bf(--perms).
+
+Note also that an optimization of the ACL-sending protocol used by this
+version makes it incompatible with sending files to an older ACL-enabled
+rsync unless you double the bf(--acls) option (e.g. bf(-AA)).  This
+doubling is not needed when pulling files from an older rsync.
+
 dit(bf(--chmod)) This option tells rsync to apply one or more
 comma-separated "chmod" strings to the permission of the files in the
 transfer.  The resulting value is treated as though it was the permissions
@@ -1389,8 +1403,8 @@ if the receiving rsync is at least versi
 with older versions of rsync, but that also turns on the output of other
 verbose messages).
 
-The "%i" escape has a cryptic output that is 9 letters long.  The general
-format is like the string bf(YXcstpogz), where bf(Y) is replaced by the
+The "%i" escape has a cryptic output that is 11 letters long.  The general
+format is like the string bf(YXcstpoguax), where bf(Y) is replaced by the
 type of update being done, bf(X) is replaced by the file-type, and the
 other letters represent attributes that may be output if they are being
 modified.
@@ -1439,7 +1453,11 @@ quote(itemization(
   sender's value (requires bf(--owner) and super-user privileges).
   it() A bf(g) means the group is different and is being updated to the
   sender's value (requires bf(--group) and the authority to set the group).
-  it() The bf(z) slot is reserved for future use.
+  it() The bf(u) slot is reserved for reporting update (access) time changes
+  (a feature that is not yet released).
+  it() The bf(a) means that the ACL information changed.
+  it() The bf(x) slot is reserved for reporting extended attribute changes
+  (a feature that is not yet released).
 ))
 
 One other output is possible:  when deleting files, the "%i" will output
--- old/smb_acls.h
+++ new/smb_acls.h
@@ -0,0 +1,281 @@
+/* 
+   Unix SMB/Netbios implementation.
+   Version 2.2.x
+   Portable SMB ACL interface
+   Copyright (C) Jeremy Allison 2000
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#ifndef _SMB_ACLS_H
+#define _SMB_ACLS_H
+
+#if defined HAVE_POSIX_ACLS
+
+/* This is an identity mapping (just remove the SMB_). */
+
+#define SMB_ACL_TAG_T		acl_tag_t
+#define SMB_ACL_TYPE_T		acl_type_t
+#define SMB_ACL_PERMSET_T	acl_permset_t
+#define SMB_ACL_PERM_T		acl_perm_t
+#define SMB_ACL_READ		ACL_READ
+#define SMB_ACL_WRITE		ACL_WRITE
+#define SMB_ACL_EXECUTE		ACL_EXECUTE
+
+/* Types of ACLs. */
+#define SMB_ACL_USER		ACL_USER
+#define SMB_ACL_USER_OBJ	ACL_USER_OBJ
+#define SMB_ACL_GROUP		ACL_GROUP
+#define SMB_ACL_GROUP_OBJ	ACL_GROUP_OBJ
+#define SMB_ACL_OTHER		ACL_OTHER
+#define SMB_ACL_MASK		ACL_MASK
+
+#define SMB_ACL_T		acl_t
+
+#define SMB_ACL_ENTRY_T		acl_entry_t
+
+#define SMB_ACL_FIRST_ENTRY	ACL_FIRST_ENTRY
+#define SMB_ACL_NEXT_ENTRY	ACL_NEXT_ENTRY
+
+#define SMB_ACL_TYPE_ACCESS	ACL_TYPE_ACCESS
+#define SMB_ACL_TYPE_DEFAULT	ACL_TYPE_DEFAULT
+
+#elif defined HAVE_TRU64_ACLS
+
+/* This is for DEC/Compaq Tru64 UNIX */
+
+#define SMB_ACL_TAG_T		acl_tag_t
+#define SMB_ACL_TYPE_T		acl_type_t
+#define SMB_ACL_PERMSET_T	acl_permset_t
+#define SMB_ACL_PERM_T		acl_perm_t
+#define SMB_ACL_READ		ACL_READ
+#define SMB_ACL_WRITE		ACL_WRITE
+#define SMB_ACL_EXECUTE		ACL_EXECUTE
+
+/* Types of ACLs. */
+#define SMB_ACL_USER		ACL_USER
+#define SMB_ACL_USER_OBJ	ACL_USER_OBJ
+#define SMB_ACL_GROUP		ACL_GROUP
+#define SMB_ACL_GROUP_OBJ	ACL_GROUP_OBJ
+#define SMB_ACL_OTHER		ACL_OTHER
+#define SMB_ACL_MASK		ACL_MASK
+
+#define SMB_ACL_T		acl_t
+
+#define SMB_ACL_ENTRY_T		acl_entry_t
+
+#define SMB_ACL_FIRST_ENTRY	0
+#define SMB_ACL_NEXT_ENTRY	1
+
+#define SMB_ACL_TYPE_ACCESS	ACL_TYPE_ACCESS
+#define SMB_ACL_TYPE_DEFAULT	ACL_TYPE_DEFAULT
+
+#elif defined HAVE_UNIXWARE_ACLS || defined HAVE_SOLARIS_ACLS
+/*
+ * Donated by Michael Davidson <md@sco.COM> for UnixWare / OpenUNIX.
+ * Modified by Toomas Soome <tsoome@ut.ee> for Solaris.
+ */
+
+/* SVR4.2 ES/MP ACLs */
+typedef int SMB_ACL_TAG_T;
+typedef int SMB_ACL_TYPE_T;
+typedef ushort *SMB_ACL_PERMSET_T;
+typedef ushort SMB_ACL_PERM_T;
+#define SMB_ACL_READ		4
+#define SMB_ACL_WRITE		2
+#define SMB_ACL_EXECUTE		1
+
+/* Types of ACLs. */
+#define SMB_ACL_USER		USER
+#define SMB_ACL_USER_OBJ	USER_OBJ
+#define SMB_ACL_GROUP		GROUP
+#define SMB_ACL_GROUP_OBJ	GROUP_OBJ
+#define SMB_ACL_OTHER		OTHER_OBJ
+#define SMB_ACL_MASK		CLASS_OBJ
+
+typedef struct SMB_ACL_T {
+	int size;
+	int count;
+	int next;
+	struct acl acl[1];
+} *SMB_ACL_T;
+
+typedef struct acl *SMB_ACL_ENTRY_T;
+
+#define SMB_ACL_FIRST_ENTRY	0
+#define SMB_ACL_NEXT_ENTRY	1
+
+#define SMB_ACL_TYPE_ACCESS	0
+#define SMB_ACL_TYPE_DEFAULT	1
+
+#ifdef __CYGWIN__
+#define SMB_ACL_LOSES_SPECIAL_MODE_BITS
+#endif
+
+#elif defined HAVE_HPUX_ACLS
+
+/*
+ * Based on the Solaris & UnixWare code.
+ */
+
+#undef GROUP
+#include <sys/aclv.h>
+
+/* SVR4.2 ES/MP ACLs */
+typedef int SMB_ACL_TAG_T;
+typedef int SMB_ACL_TYPE_T;
+typedef ushort *SMB_ACL_PERMSET_T;
+typedef ushort SMB_ACL_PERM_T;
+#define SMB_ACL_READ		4
+#define SMB_ACL_WRITE		2
+#define SMB_ACL_EXECUTE		1
+
+/* Types of ACLs. */
+#define SMB_ACL_USER		USER
+#define SMB_ACL_USER_OBJ	USER_OBJ
+#define SMB_ACL_GROUP		GROUP
+#define SMB_ACL_GROUP_OBJ	GROUP_OBJ
+#define SMB_ACL_OTHER		OTHER_OBJ
+#define SMB_ACL_MASK		CLASS_OBJ
+
+typedef struct SMB_ACL_T {
+	int size;
+	int count;
+	int next;
+	struct acl acl[1];
+} *SMB_ACL_T;
+
+typedef struct acl *SMB_ACL_ENTRY_T;
+
+#define SMB_ACL_FIRST_ENTRY	0
+#define SMB_ACL_NEXT_ENTRY	1
+
+#define SMB_ACL_TYPE_ACCESS	0
+#define SMB_ACL_TYPE_DEFAULT	1
+
+#elif defined HAVE_IRIX_ACLS
+
+#define SMB_ACL_TAG_T		acl_tag_t
+#define SMB_ACL_TYPE_T		acl_type_t
+#define SMB_ACL_PERMSET_T	acl_permset_t
+#define SMB_ACL_PERM_T		acl_perm_t
+#define SMB_ACL_READ		ACL_READ
+#define SMB_ACL_WRITE		ACL_WRITE
+#define SMB_ACL_EXECUTE		ACL_EXECUTE
+
+/* Types of ACLs. */
+#define SMB_ACL_USER		ACL_USER
+#define SMB_ACL_USER_OBJ	ACL_USER_OBJ
+#define SMB_ACL_GROUP		ACL_GROUP
+#define SMB_ACL_GROUP_OBJ	ACL_GROUP_OBJ
+#define SMB_ACL_OTHER		ACL_OTHER_OBJ
+#define SMB_ACL_MASK		ACL_MASK
+
+typedef struct SMB_ACL_T {
+	int next;
+	BOOL freeaclp;
+	struct acl *aclp;
+} *SMB_ACL_T;
+
+#define SMB_ACL_ENTRY_T		acl_entry_t
+
+#define SMB_ACL_FIRST_ENTRY	0
+#define SMB_ACL_NEXT_ENTRY	1
+
+#define SMB_ACL_TYPE_ACCESS	ACL_TYPE_ACCESS
+#define SMB_ACL_TYPE_DEFAULT	ACL_TYPE_DEFAULT
+
+#elif defined HAVE_AIX_ACLS
+
+/* Donated by Medha Date, mdate@austin.ibm.com, for IBM */
+
+#include "/usr/include/acl.h"
+
+typedef uint *SMB_ACL_PERMSET_T;
+ 
+struct acl_entry_link{
+	struct acl_entry_link *prevp;
+	struct new_acl_entry *entryp;
+	struct acl_entry_link *nextp;
+	int count;
+};
+
+struct new_acl_entry{
+	unsigned short ace_len;
+	unsigned short ace_type;
+	unsigned int ace_access;
+	struct ace_id ace_id[1];
+};
+
+#define SMB_ACL_ENTRY_T		struct new_acl_entry*
+#define SMB_ACL_T		struct acl_entry_link*
+ 
+#define SMB_ACL_TAG_T		unsigned short
+#define SMB_ACL_TYPE_T		int
+#define SMB_ACL_PERM_T		uint
+#define SMB_ACL_READ		S_IRUSR
+#define SMB_ACL_WRITE		S_IWUSR
+#define SMB_ACL_EXECUTE		S_IXUSR
+
+/* Types of ACLs. */
+#define SMB_ACL_USER		ACEID_USER
+#define SMB_ACL_USER_OBJ	3
+#define SMB_ACL_GROUP		ACEID_GROUP
+#define SMB_ACL_GROUP_OBJ	4
+#define SMB_ACL_OTHER		5
+#define SMB_ACL_MASK		6
+
+
+#define SMB_ACL_FIRST_ENTRY	1
+#define SMB_ACL_NEXT_ENTRY	2
+
+#define SMB_ACL_TYPE_ACCESS	0
+#define SMB_ACL_TYPE_DEFAULT	1
+
+#else /* No ACLs. */
+
+/* No ACLS - fake it. */
+#define SMB_ACL_TAG_T		int
+#define SMB_ACL_TYPE_T		int
+#define SMB_ACL_PERMSET_T	mode_t
+#define SMB_ACL_PERM_T		mode_t
+#define SMB_ACL_READ		S_IRUSR
+#define SMB_ACL_WRITE		S_IWUSR
+#define SMB_ACL_EXECUTE		S_IXUSR
+
+/* Types of ACLs. */
+#define SMB_ACL_USER		0
+#define SMB_ACL_USER_OBJ	1
+#define SMB_ACL_GROUP		2
+#define SMB_ACL_GROUP_OBJ	3
+#define SMB_ACL_OTHER		4
+#define SMB_ACL_MASK		5
+
+typedef struct SMB_ACL_T {
+	int dummy;
+} *SMB_ACL_T;
+
+typedef struct SMB_ACL_ENTRY_T {
+	int dummy;
+} *SMB_ACL_ENTRY_T;
+
+#define SMB_ACL_FIRST_ENTRY	0
+#define SMB_ACL_NEXT_ENTRY	1
+
+#define SMB_ACL_TYPE_ACCESS	0
+#define SMB_ACL_TYPE_DEFAULT	1
+
+#endif /* No ACLs. */
+#endif /* _SMB_ACLS_H */
--- old/testsuite/acls.test
+++ new/testsuite/acls.test
@@ -0,0 +1,34 @@
+#! /bin/sh
+
+# This program is distributable under the terms of the GNU GPL (see
+# COPYING).
+
+# Test that rsync handles basic ACL preservation.
+
+. $srcdir/testsuite/rsync.fns
+
+$RSYNC --version | grep ", ACLs" >/dev/null || test_skipped "Rsync is configured without ACL support"
+case "$setfacl_nodef" in
+true) test_skipped "I don't know how to use your setfacl command" ;;
+esac
+
+makepath "$fromdir/foo"
+echo something >"$fromdir/file1"
+echo else >"$fromdir/file2"
+
+files='foo file1 file2'
+
+setfacl -m u:0:7 "$fromdir/foo" || test_skipped "Your filesystem has ACLs disabled"
+setfacl -m u:0:5 "$fromdir/file1"
+setfacl -m u:0:5 "$fromdir/file2"
+
+$RSYNC -avvA "$fromdir/" "$todir/"
+
+cd "$fromdir"
+getfacl $files >"$scratchdir/acls.txt"
+
+cd "$todir"
+getfacl $files | diff $diffopt "$scratchdir/acls.txt" -
+
+# The script would have aborted on error, so getting here means we've won.
+exit 0
--- old/testsuite/default-acls.test
+++ new/testsuite/default-acls.test
@@ -0,0 +1,65 @@
+#! /bin/sh
+
+# This program is distributable under the terms of the GNU GPL (see
+# COPYING).
+
+# Test that rsync obeys default ACLs. -- Matt McCutchen
+
+. $srcdir/testsuite/rsync.fns
+
+$RSYNC --version | grep ", ACLs" >/dev/null || test_skipped "Rsync is configured without ACL support"
+case "$setfacl_nodef" in
+true) test_skipped "I don't know how to use your setfacl command" ;;
+*-k*) opts='-dm u::7,g::5,o:5' ;;
+*) opts='-m d:u::7,d:g::5,d:o:5' ;;
+esac
+setfacl $opts "$scratchdir" || test_skipped "Your filesystem has ACLs disabled"
+
+# Call as: testit <dirname> <default-acl> <file-expected> <program-expected>
+testit() {
+    todir="$scratchdir/$1"
+    mkdir "$todir"
+    $setfacl_nodef "$todir"
+    if [ "$2" ]; then
+	case "$setfacl_nodef" in
+	*-k*) opts="-dm $2" ;;
+	*) opts="-m `echo $2 | sed 's/\([ugom]:\)/d:\1/g'`"
+	esac
+	setfacl $opts "$todir"
+    fi
+    # Make sure we obey ACLs when creating a directory to hold multiple transferred files,
+    # even though the directory itself is outside the transfer
+    $RSYNC -rvv "$scratchdir/dir" "$scratchdir/file" "$scratchdir/program" "$todir/to/"
+    check_perms "$todir/to" $4 "Target $1"
+    check_perms "$todir/to/dir" $4 "Target $1"
+    check_perms "$todir/to/file" $3 "Target $1"
+    check_perms "$todir/to/program" $4 "Target $1"
+    # Make sure get_local_name doesn't mess us up when transferring only one file
+    $RSYNC -rvv "$scratchdir/file" "$todir/to/anotherfile"
+    check_perms "$todir/to/anotherfile" $3 "Target $1"
+    # Make sure we obey default ACLs when not transferring a regular file
+    $RSYNC -rvv "$scratchdir/dir/" "$todir/to/anotherdir/"
+    check_perms "$todir/to/anotherdir" $4 "Target $1"
+}
+
+mkdir "$scratchdir/dir"
+echo "File!" >"$scratchdir/file"
+echo "#!/bin/sh" >"$scratchdir/program"
+chmod 777 "$scratchdir/dir"
+chmod 666 "$scratchdir/file"
+chmod 777 "$scratchdir/program"
+
+# Test some target directories
+umask 0077
+testit da777 u::7,g::7,o:7 rw-rw-rw- rwxrwxrwx
+testit da775 u::7,g::7,o:5 rw-rw-r-- rwxrwxr-x
+testit da750 u::7,g::5,o:0 rw-r----- rwxr-x---
+testit da770mask u::7,u:0:7,g::0,m:7,o:0 rw-rw---- rwxrwx---
+testit noda1 '' rw------- rwx------
+umask 0000
+testit noda2 '' rw-rw-rw- rwxrwxrwx
+umask 0022
+testit noda3 '' rw-r--r-- rwxr-xr-x
+
+# Hooray
+exit 0
--- old/testsuite/devices.test
+++ new/testsuite/devices.test
@@ -42,14 +42,14 @@ touch -r "$fromdir/block" "$fromdir/bloc
 $RSYNC -ai "$fromdir/block" "$todir/block2" \
     | tee "$outfile"
 cat <<EOT >"$chkfile"
-cD+++++++ block
+cD+++++++++ block
 EOT
 diff $diffopt "$chkfile" "$outfile" || test_fail "test 1 failed"
 
 $RSYNC -ai "$fromdir/block2" "$todir/block" \
     | tee "$outfile"
 cat <<EOT >"$chkfile"
-cD+++++++ block2
+cD+++++++++ block2
 EOT
 diff $diffopt "$chkfile" "$outfile" || test_fail "test 2 failed"
 
@@ -58,7 +58,7 @@ sleep 1
 $RSYNC -Di "$fromdir/block3" "$todir/block" \
     | tee "$outfile"
 cat <<EOT >"$chkfile"
-cD..T.... block3
+cD..T...... block3
 EOT
 diff $diffopt "$chkfile" "$outfile" || test_fail "test 3 failed"
 
@@ -66,15 +66,15 @@ $RSYNC -aiHvv "$fromdir/" "$todir/" \
     | tee "$outfile"
 filter_outfile
 cat <<EOT >"$chkfile"
-.d..t.... ./
-cD..t.... block
-cD....... block2
-cD+++++++ block3
-hD+++++++ block2.5 => block3
-cD+++++++ char
-cD+++++++ char2
-cD+++++++ char3
-cS+++++++ fifo
+.d..t...... ./
+cD..t...... block
+cD......... block2
+cD+++++++++ block3
+hD+++++++++ block2.5 => block3
+cD+++++++++ char
+cD+++++++++ char2
+cD+++++++++ char3
+cS+++++++++ fifo
 EOT
 if test ! -b "$fromdir/block2.5"; then
     sed -e '/block2\.5/d' \
--- old/testsuite/itemize.test
+++ new/testsuite/itemize.test
@@ -29,15 +29,15 @@ ln "$fromdir/foo/config1" "$fromdir/foo/
 $RSYNC -iplr "$fromdir/" "$todir/" \
     | tee "$outfile"
 cat <<EOT >"$chkfile"
-cd+++++++ ./
-cd+++++++ bar/
-cd+++++++ bar/baz/
->f+++++++ bar/baz/rsync
-cd+++++++ foo/
->f+++++++ foo/config1
->f+++++++ foo/config2
->f+++++++ foo/extra
-cL+++++++ foo/sym -> ../bar/baz/rsync
+cd+++++++++ ./
+cd+++++++++ bar/
+cd+++++++++ bar/baz/
+>f+++++++++ bar/baz/rsync
+cd+++++++++ foo/
+>f+++++++++ foo/config1
+>f+++++++++ foo/config2
+>f+++++++++ foo/extra
+cL+++++++++ foo/sym -> ../bar/baz/rsync
 EOT
 diff $diffopt "$chkfile" "$outfile" || test_fail "test 1 failed"
 
@@ -49,10 +49,10 @@ chmod 601 "$fromdir/foo/config2"
 $RSYNC -iplrH "$fromdir/" "$todir/" \
     | tee "$outfile"
 cat <<EOT >"$chkfile"
->f..T.... bar/baz/rsync
->f..T.... foo/config1
->f.sTp... foo/config2
-hf..T.... foo/extra => foo/config1
+>f..T...... bar/baz/rsync
+>f..T...... foo/config1
+>f.sTp..... foo/config2
+hf..T...... foo/extra => foo/config1
 EOT
 diff $diffopt "$chkfile" "$outfile" || test_fail "test 2 failed"
 
@@ -69,11 +69,11 @@ chmod 777 "$todir/bar/baz/rsync"
 $RSYNC -iplrtc "$fromdir/" "$todir/" \
     | tee "$outfile"
 cat <<EOT >"$chkfile"
-.f..tp... bar/baz/rsync
-.d..t.... foo/
-.f..t.... foo/config1
->fcstp... foo/config2
-cL..T.... foo/sym -> ../bar/baz/rsync
+.f..tp..... bar/baz/rsync
+.d..t...... foo/
+.f..t...... foo/config1
+>fcstp..... foo/config2
+cL..T...... foo/sym -> ../bar/baz/rsync
 EOT
 diff $diffopt "$chkfile" "$outfile" || test_fail "test 3 failed"
 
@@ -98,15 +98,15 @@ $RSYNC -ivvplrtH "$fromdir/" "$todir/" \
     | tee "$outfile"
 filter_outfile
 cat <<EOT >"$chkfile"
-.d        ./
-.d        bar/
-.d        bar/baz/
-.f...p... bar/baz/rsync
-.d        foo/
-.f        foo/config1
->f..t.... foo/config2
-hf        foo/extra
-.L        foo/sym -> ../bar/baz/rsync
+.d          ./
+.d          bar/
+.d          bar/baz/
+.f...p..... bar/baz/rsync
+.d          foo/
+.f          foo/config1
+>f..t...... foo/config2
+hf          foo/extra
+.L          foo/sym -> ../bar/baz/rsync
 EOT
 diff $diffopt "$chkfile" "$outfile" || test_fail "test 5 failed"
 
@@ -125,8 +125,8 @@ touch "$todir/foo/config2"
 $RSYNC -iplrtH "$fromdir/" "$todir/" \
     | tee "$outfile"
 cat <<EOT >"$chkfile"
-.f...p... foo/config1
->f..t.... foo/config2
+.f...p..... foo/config1
+>f..t...... foo/config2
 EOT
 diff $diffopt "$chkfile" "$outfile" || test_fail "test 7 failed"
 
@@ -135,15 +135,15 @@ $RSYNC -ivvplrtH --copy-dest=../ld "$fro
     | tee "$outfile"
 filter_outfile
 cat <<EOT >"$chkfile"
-cd+++++++ ./
-cd+++++++ bar/
-cd+++++++ bar/baz/
-cf        bar/baz/rsync
-cd+++++++ foo/
-cf        foo/config1
-cf        foo/config2
-hf        foo/extra => foo/config1
-cL..T.... foo/sym -> ../bar/baz/rsync
+cd+++++++++ ./
+cd+++++++++ bar/
+cd+++++++++ bar/baz/
+cf          bar/baz/rsync
+cd+++++++++ foo/
+cf          foo/config1
+cf          foo/config2
+hf          foo/extra => foo/config1
+cL..T...... foo/sym -> ../bar/baz/rsync
 EOT
 diff $diffopt "$chkfile" "$outfile" || test_fail "test 8 failed"
 
@@ -151,11 +151,11 @@ rm -rf "$todir"
 $RSYNC -iplrtH --copy-dest=../ld "$fromdir/" "$todir/" \
     | tee "$outfile"
 cat <<EOT >"$chkfile"
-cd+++++++ ./
-cd+++++++ bar/
-cd+++++++ bar/baz/
-cd+++++++ foo/
-hf        foo/extra => foo/config1
+cd+++++++++ ./
+cd+++++++++ bar/
+cd+++++++++ bar/baz/
+cd+++++++++ foo/
+hf          foo/extra => foo/config1
 EOT
 diff $diffopt "$chkfile" "$outfile" || test_fail "test 9 failed"
 
@@ -182,15 +182,15 @@ $RSYNC -ivvplrtH --link-dest="$lddir" "$
     | tee "$outfile"
 filter_outfile
 cat <<EOT >"$chkfile"
-cd+++++++ ./
-cd+++++++ bar/
-cd+++++++ bar/baz/
-hf        bar/baz/rsync
-cd+++++++ foo/
-hf        foo/config1
-hf        foo/config2
-hf        foo/extra => foo/config1
-hL        foo/sym -> ../bar/baz/rsync
+cd+++++++++ ./
+cd+++++++++ bar/
+cd+++++++++ bar/baz/
+hf          bar/baz/rsync
+cd+++++++++ foo/
+hf          foo/config1
+hf          foo/config2
+hf          foo/extra => foo/config1
+hL          foo/sym -> ../bar/baz/rsync
 EOT
 diff $diffopt "$chkfile" "$outfile" || test_fail "test 11 failed"
 
@@ -198,10 +198,10 @@ rm -rf "$todir"
 $RSYNC -iplrtH --dry-run --link-dest=../ld "$fromdir/" "$todir/" \
     | tee "$outfile"
 cat <<EOT >"$chkfile"
-cd+++++++ ./
-cd+++++++ bar/
-cd+++++++ bar/baz/
-cd+++++++ foo/
+cd+++++++++ ./
+cd+++++++++ bar/
+cd+++++++++ bar/baz/
+cd+++++++++ foo/
 EOT
 diff $diffopt "$chkfile" "$outfile" || test_fail "test 12 failed"
 
@@ -209,10 +209,10 @@ rm -rf "$todir"
 $RSYNC -iplrtH --link-dest=../ld "$fromdir/" "$todir/" \
     | tee "$outfile"
 cat <<EOT >"$chkfile"
-cd+++++++ ./
-cd+++++++ bar/
-cd+++++++ bar/baz/
-cd+++++++ foo/
+cd+++++++++ ./
+cd+++++++++ bar/
+cd+++++++++ bar/baz/
+cd+++++++++ foo/
 EOT
 diff $diffopt "$chkfile" "$outfile" || test_fail "test 13 failed"
 
@@ -240,14 +240,14 @@ filter_outfile
 # TODO fix really-old problem when combining -H with --compare-dest:
 # missing output for foo/extra hard-link (and it might not be updated)!
 cat <<EOT >"$chkfile"
-cd+++++++ ./
-cd+++++++ bar/
-cd+++++++ bar/baz/
-.f        bar/baz/rsync
-cd+++++++ foo/
-.f        foo/config1
-.f        foo/config2
-.L        foo/sym -> ../bar/baz/rsync
+cd+++++++++ ./
+cd+++++++++ bar/
+cd+++++++++ bar/baz/
+.f          bar/baz/rsync
+cd+++++++++ foo/
+.f          foo/config1
+.f          foo/config2
+.L          foo/sym -> ../bar/baz/rsync
 EOT
 diff $diffopt "$chkfile" "$outfile" || test_fail "test 15 failed"
 
@@ -255,10 +255,10 @@ rm -rf "$todir"
 $RSYNC -iplrtH --compare-dest="$lddir" "$fromdir/" "$todir/" \
     | tee "$outfile"
 cat <<EOT >"$chkfile"
-cd+++++++ ./
-cd+++++++ bar/
-cd+++++++ bar/baz/
-cd+++++++ foo/
+cd+++++++++ ./
+cd+++++++++ bar/
+cd+++++++++ bar/baz/
+cd+++++++++ foo/
 EOT
 diff $diffopt "$chkfile" "$outfile" || test_fail "test 16 failed"
 
--- old/uidlist.c
+++ new/uidlist.c
@@ -35,6 +35,7 @@
 extern int verbose;
 extern int preserve_uid;
 extern int preserve_gid;
+extern int preserve_acls;
 extern int numeric_ids;
 extern int am_root;
 
@@ -273,7 +274,7 @@ void send_uid_list(int f)
 	if (numeric_ids)
 		return;
 
-	if (preserve_uid) {
+	if (preserve_uid || preserve_acls) {
 		int len;
 		/* we send sequences of uid/byte-length/name */
 		for (list = uidlist; list; list = list->next) {
@@ -290,7 +291,7 @@ void send_uid_list(int f)
 		write_int(f, 0);
 	}
 
-	if (preserve_gid) {
+	if (preserve_gid || preserve_acls) {
 		int len;
 		for (list = gidlist; list; list = list->next) {
 			if (!list->name)
@@ -311,7 +312,7 @@ void recv_uid_list(int f, struct file_li
 	int id, i;
 	char *name;
 
-	if (preserve_uid && !numeric_ids) {
+	if ((preserve_uid || preserve_acls) && !numeric_ids) {
 		/* read the uid list */
 		while ((id = read_int(f)) != 0) {
 			int len = read_byte(f);
@@ -323,7 +324,7 @@ void recv_uid_list(int f, struct file_li
 		}
 	}
 
-	if (preserve_gid && !numeric_ids) {
+	if ((preserve_gid || preserve_acls) && !numeric_ids) {
 		/* read the gid list */
 		while ((id = read_int(f)) != 0) {
 			int len = read_byte(f);
@@ -335,6 +336,16 @@ void recv_uid_list(int f, struct file_li
 		}
 	}
 
+#ifdef SUPPORT_ACLS
+	if (preserve_acls && !numeric_ids) {
+		id_t *id;
+		while ((id = next_acl_uid(flist)) != NULL)
+			*id = match_uid(*id);
+		while ((id = next_acl_gid(flist)) != NULL)
+			*id = match_gid(*id);
+	}
+#endif
+
 	/* Now convert all the uids/gids from sender values to our values. */
 	if (am_root && preserve_uid && !numeric_ids) {
 		for (i = 0; i < flist->count; i++)
--- old/util.c
+++ new/util.c
@@ -1468,3 +1468,31 @@ int bitbag_next_bit(struct bitbag *bb, i
 
 	return -1;
 }
+
+void *expand_item_list(item_list *lp, size_t item_size,
+		       const char *desc, int incr)
+{
+	/* First time through, 0 <= 0, so list is expanded. */
+	if (lp->malloced <= lp->count) {
+		void *new_ptr;
+		size_t new_size = lp->malloced;
+		if (incr < 0)
+			new_size -= incr; /* increase slowly */
+		else if (new_size < (size_t)incr)
+			new_size += incr;
+		else
+			new_size *= 2;
+		new_ptr = realloc_array(lp->items, char, new_size * item_size);
+		if (verbose >= 4) {
+			rprintf(FINFO, "[%s] expand %s to %.0f bytes, did%s move\n",
+				who_am_i(), desc, (double)new_size * item_size,
+				new_ptr == lp->items ? " not" : "");
+		}
+		if (!new_ptr)
+			out_of_memory("expand_item_list");
+
+		lp->items = new_ptr;
+		lp->malloced = new_size;
+	}
+	return (char*)lp->items + (lp->count++ * item_size);
+}
--- old/proto.h
+++ new/proto.h
@@ -1,6 +1,15 @@
 /* This file is automatically generated with "make proto". DO NOT EDIT */
 
 int allow_access(char *addr, char *host, char *allow_list, char *deny_list);
+void free_acl(statx *sxp);
+int get_acl(const char *fname, statx *sxp);
+void send_acl(statx *sxp, int f);
+void receive_acl(struct file_struct *file, int f);
+void cache_acl(struct file_struct *file, statx *sxp);
+int set_acl(const char *fname, const struct file_struct *file, statx *sxp);
+id_t *next_acl_uid();
+id_t *next_acl_gid();
+int default_perms_for_dir(const char *dir);
 void base64_encode(char *buf, int len, char *out, int pad);
 char *auth_server(int f_in, int f_out, int module, char *host, char *addr,
 		  char *leader);
@@ -83,18 +92,18 @@ int f_name_cmp(struct file_struct *f1, s
 char *f_name(struct file_struct *f, char *fbuf);
 struct file_list *get_dirlist(char *dirname, int dlen,
 			      int ignore_filter_rules);
-int unchanged_attrs(struct file_struct *file, STRUCT_STAT *st);
-void itemize(struct file_struct *file, int ndx, int statret, STRUCT_STAT *st,
+int unchanged_attrs(struct file_struct *file, statx *sxp);
+void itemize(struct file_struct *file, int ndx, int statret, statx *sxp,
 	     int32 iflags, uchar fnamecmp_type, char *xname);
 int unchanged_file(char *fn, struct file_struct *file, STRUCT_STAT *st);
 void check_for_finished_hlinks(int itemizing, enum logcode code);
 void generate_files(int f_out, struct file_list *flist, char *local_name);
 void init_hard_links(void);
 int hard_link_check(struct file_struct *file, int ndx, char *fname,
-		    int statret, STRUCT_STAT *st, int itemizing,
+		    int statret, statx *sxp, int itemizing,
 		    enum logcode code, int skip);
 int hard_link_one(struct file_struct *file, int ndx, char *fname,
-		  int statret, STRUCT_STAT *st, char *toname, int terse,
+		  int statret, statx *sxp, char *toname, int terse,
 		  int itemizing, enum logcode code);
 void hard_link_cluster(struct file_struct *file, int master, int itemizing,
 		       enum logcode code);
@@ -223,8 +232,9 @@ void show_progress(OFF_T ofs, OFF_T size
 int recv_files(int f_in, struct file_list *flist, char *local_name);
 void setup_iconv();
 void free_sums(struct sum_struct *s);
-mode_t dest_mode(mode_t flist_mode, mode_t stat_mode, int exists);
-int set_file_attrs(char *fname, struct file_struct *file, STRUCT_STAT *st,
+mode_t dest_mode(mode_t flist_mode, mode_t stat_mode, int dflt_perms,
+		 int exists);
+int set_file_attrs(char *fname, struct file_struct *file, statx *sxp,
 		   int flags);
 RETSIGTYPE sig_int(UNUSED(int val));
 void finish_transfer(char *fname, char *fnametmp, char *partialptr,
@@ -320,4 +330,6 @@ void bitbag_set_bit(struct bitbag *bb, i
 void bitbag_clear_bit(struct bitbag *bb, int ndx);
 int bitbag_check_bit(struct bitbag *bb, int ndx);
 int bitbag_next_bit(struct bitbag *bb, int after);
+void *expand_item_list(item_list *lp, size_t item_size,
+		       const char *desc, int incr);
 int sys_gettimeofday(struct timeval *tv);
--- old/configure
+++ new/configure
@@ -1258,6 +1258,7 @@ Optional Features:
   --disable-largefile     omit support for large files
   --disable-ipv6          don't even try to use IPv6
   --disable-locale        turn off locale features
+  --enable-acl-support    Include ACL support (default=no)
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -12941,6 +12942,206 @@ fi
 fi
 
 
+for ac_func in aclsort
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
+
+int
+main ()
+{
+return $ac_func ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_var=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+if test x"$ac_cv_func_aclsort" = x"no"; then
+
+{ echo "$as_me:$LINENO: checking for aclsort in -lsec" >&5
+echo $ECHO_N "checking for aclsort in -lsec... $ECHO_C" >&6; }
+if test "${ac_cv_lib_sec_aclsort+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lsec  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char aclsort ();
+int
+main ()
+{
+return aclsort ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_sec_aclsort=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_sec_aclsort=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_sec_aclsort" >&5
+echo "${ECHO_T}$ac_cv_lib_sec_aclsort" >&6; }
+if test $ac_cv_lib_sec_aclsort = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBSEC 1
+_ACEOF
+
+  LIBS="-lsec $LIBS"
+
+fi
+
+fi
+
+
 { echo "$as_me:$LINENO: checking whether utime accepts a null argument" >&5
 echo $ECHO_N "checking whether utime accepts a null argument... $ECHO_C" >&6; }
 if test "${ac_cv_func_utime_null+set}" = set; then
@@ -14808,6 +15009,625 @@ fi
 
 
 
+
+
+for ac_header in sys/acl.h acl/libacl.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <$ac_header>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  eval "$as_ac_Header=\$ac_header_preproc"
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+
+fi
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+
+
+
+for ac_func in _acl __acl _facl __facl
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
+
+int
+main ()
+{
+return $ac_func ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_var=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+#################################################
+# check for ACL support
+
+{ echo "$as_me:$LINENO: checking whether to support ACLs" >&5
+echo $ECHO_N "checking whether to support ACLs... $ECHO_C" >&6; }
+# Check whether --enable-acl-support was given.
+if test "${enable_acl_support+set}" = set; then
+  enableval=$enable_acl_support;  case "$enableval" in
+  yes)
+
+		case "$host_os" in
+		*sysv5*)
+			{ echo "$as_me:$LINENO: result: Using UnixWare ACLs" >&5
+echo "${ECHO_T}Using UnixWare ACLs" >&6; }
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_UNIXWARE_ACLS 1
+_ACEOF
+
+			;;
+		*solaris*|*cygwin*)
+			{ echo "$as_me:$LINENO: result: Using solaris ACLs" >&5
+echo "${ECHO_T}Using solaris ACLs" >&6; }
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_SOLARIS_ACLS 1
+_ACEOF
+
+			;;
+		*hpux*)
+			{ echo "$as_me:$LINENO: result: Using HPUX ACLs" >&5
+echo "${ECHO_T}Using HPUX ACLs" >&6; }
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_HPUX_ACLS 1
+_ACEOF
+
+			;;
+		*irix*)
+			{ echo "$as_me:$LINENO: result: Using IRIX ACLs" >&5
+echo "${ECHO_T}Using IRIX ACLs" >&6; }
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_IRIX_ACLS 1
+_ACEOF
+
+			;;
+		*aix*)
+			{ echo "$as_me:$LINENO: result: Using AIX ACLs" >&5
+echo "${ECHO_T}Using AIX ACLs" >&6; }
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_AIX_ACLS 1
+_ACEOF
+
+			;;
+		*osf*)
+			{ echo "$as_me:$LINENO: result: Using Tru64 ACLs" >&5
+echo "${ECHO_T}Using Tru64 ACLs" >&6; }
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_TRU64_ACLS 1
+_ACEOF
+
+			LIBS="$LIBS -lpacl"
+			;;
+		*)
+		    { echo "$as_me:$LINENO: result: ACLs requested -- running tests" >&5
+echo "${ECHO_T}ACLs requested -- running tests" >&6; }
+
+{ echo "$as_me:$LINENO: checking for acl_get_file in -lacl" >&5
+echo $ECHO_N "checking for acl_get_file in -lacl... $ECHO_C" >&6; }
+if test "${ac_cv_lib_acl_acl_get_file+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lacl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char acl_get_file ();
+int
+main ()
+{
+return acl_get_file ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_acl_acl_get_file=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_acl_acl_get_file=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_acl_acl_get_file" >&5
+echo "${ECHO_T}$ac_cv_lib_acl_acl_get_file" >&6; }
+if test $ac_cv_lib_acl_acl_get_file = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBACL 1
+_ACEOF
+
+  LIBS="-lacl $LIBS"
+
+fi
+
+			{ echo "$as_me:$LINENO: checking for ACL support" >&5
+echo $ECHO_N "checking for ACL support... $ECHO_C" >&6; }
+if test "${samba_cv_HAVE_POSIX_ACLS+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+			cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <sys/types.h>
+#include <sys/acl.h>
+int
+main ()
+{
+ acl_t acl; int entry_id; acl_entry_t *entry_p; return acl_get_entry( acl, entry_id, entry_p);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  samba_cv_HAVE_POSIX_ACLS=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	samba_cv_HAVE_POSIX_ACLS=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $samba_cv_HAVE_POSIX_ACLS" >&5
+echo "${ECHO_T}$samba_cv_HAVE_POSIX_ACLS" >&6; }
+			{ echo "$as_me:$LINENO: checking ACL test results" >&5
+echo $ECHO_N "checking ACL test results... $ECHO_C" >&6; }
+			if test x"$samba_cv_HAVE_POSIX_ACLS" = x"yes"; then
+			    { echo "$as_me:$LINENO: result: Using posix ACLs" >&5
+echo "${ECHO_T}Using posix ACLs" >&6; }
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_POSIX_ACLS 1
+_ACEOF
+
+			    { echo "$as_me:$LINENO: checking for acl_get_perm_np" >&5
+echo $ECHO_N "checking for acl_get_perm_np... $ECHO_C" >&6; }
+if test "${samba_cv_HAVE_ACL_GET_PERM_NP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+				cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <sys/types.h>
+#include <sys/acl.h>
+int
+main ()
+{
+ acl_permset_t permset_d; acl_perm_t perm; return acl_get_perm_np( permset_d, perm);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  samba_cv_HAVE_ACL_GET_PERM_NP=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	samba_cv_HAVE_ACL_GET_PERM_NP=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $samba_cv_HAVE_ACL_GET_PERM_NP" >&5
+echo "${ECHO_T}$samba_cv_HAVE_ACL_GET_PERM_NP" >&6; }
+			    if test x"$samba_cv_HAVE_ACL_GET_PERM_NP" = x"yes"; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_ACL_GET_PERM_NP 1
+_ACEOF
+
+			    fi
+			else
+			    { { echo "$as_me:$LINENO: error: Failed to find ACL support" >&5
+echo "$as_me: error: Failed to find ACL support" >&2;}
+   { (exit 1); exit 1; }; }
+			fi
+			;;
+		esac
+		;;
+  *)
+    { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_NO_ACLS 1
+_ACEOF
+
+    ;;
+  esac
+else
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_NO_ACLS 1
+_ACEOF
+
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+
+fi
+
+
 ac_config_files="$ac_config_files Makefile lib/dummy zlib/dummy popt/dummy shconfig"
 
 cat >confcache <<\_ACEOF
--- old/config.h.in
+++ new/config.h.in
@@ -27,6 +27,18 @@
 /* Define to 1 if the `getpgrp' function requires zero arguments. */
 #undef GETPGRP_VOID
 
+/* Define to 1 if you have the `aclsort' function. */
+#undef HAVE_ACLSORT
+
+/* true if you have acl_get_perm_np */
+#undef HAVE_ACL_GET_PERM_NP
+
+/* Define to 1 if you have the <acl/libacl.h> header file. */
+#undef HAVE_ACL_LIBACL_H
+
+/* true if you have AIX ACLs */
+#undef HAVE_AIX_ACLS
+
 /* Define to 1 if you have `alloca', as a function or macro. */
 #undef HAVE_ALLOCA
 
@@ -119,6 +131,9 @@
 /* Define to 1 if you have the <grp.h> header file. */
 #undef HAVE_GRP_H
 
+/* true if you have HPUX ACLs */
+#undef HAVE_HPUX_ACLS
+
 /* Define to 1 if you have the <iconv.h> header file. */
 #undef HAVE_ICONV_H
 
@@ -134,6 +149,9 @@
 /* Define to 1 if you have the <inttypes.h> header file. */
 #undef HAVE_INTTYPES_H
 
+/* true if you have IRIX ACLs */
+#undef HAVE_IRIX_ACLS
+
 /* Define to 1 if you have the <langinfo.h> header file. */
 #undef HAVE_LANGINFO_H
 
@@ -143,6 +161,9 @@
 /* Define to 1 if you have the `lchown' function. */
 #undef HAVE_LCHOWN
 
+/* Define to 1 if you have the `acl' library (-lacl). */
+#undef HAVE_LIBACL
+
 /* Define to 1 if you have the <libcharset.h> header file. */
 #undef HAVE_LIBCHARSET_H
 
@@ -161,6 +182,9 @@
 /* Define to 1 if you have the `resolv' library (-lresolv). */
 #undef HAVE_LIBRESOLV
 
+/* Define to 1 if you have the `sec' library (-lsec). */
+#undef HAVE_LIBSEC
+
 /* Define to 1 if you have the `socket' library (-lsocket). */
 #undef HAVE_LIBSOCKET
 
@@ -226,9 +250,15 @@
 /* Define to 1 if you have the `nl_langinfo' function. */
 #undef HAVE_NL_LANGINFO
 
+/* true if you don't have ACLs */
+#undef HAVE_NO_ACLS
+
 /* Define to 1 if you have the `open64' function. */
 #undef HAVE_OPEN64
 
+/* true if you have posix ACLs */
+#undef HAVE_POSIX_ACLS
+
 /* Define to 1 if you have the `putenv' function. */
 #undef HAVE_PUTENV
 
@@ -280,6 +310,9 @@
 /* Define to 1 if you have the "socketpair" function */
 #undef HAVE_SOCKETPAIR
 
+/* true if you have solaris ACLs */
+#undef HAVE_SOLARIS_ACLS
+
 /* Define to 1 if you have the <stdint.h> header file. */
 #undef HAVE_STDINT_H
 
@@ -325,6 +358,9 @@
 /* Define to 1 if `st_rdev' is member of `struct stat'. */
 #undef HAVE_STRUCT_STAT_ST_RDEV
 
+/* Define to 1 if you have the <sys/acl.h> header file. */
+#undef HAVE_SYS_ACL_H
+
 /* Define to 1 if you have the <sys/dir.h> header file, and it defines `DIR'.
    */
 #undef HAVE_SYS_DIR_H
@@ -375,9 +411,15 @@
 /* Define to 1 if you have the `tcgetpgrp' function. */
 #undef HAVE_TCGETPGRP
 
+/* true if you have Tru64 ACLs */
+#undef HAVE_TRU64_ACLS
+
 /* Define to 1 if you have the <unistd.h> header file. */
 #undef HAVE_UNISTD_H
 
+/* true if you have UnixWare ACLs */
+#undef HAVE_UNIXWARE_ACLS
+
 /* Define to 1 if you have the "struct utimbuf" type */
 #undef HAVE_UTIMBUF
 
@@ -408,6 +450,18 @@
 /* Define to 1 if you have the `waitpid' function. */
 #undef HAVE_WAITPID
 
+/* Define to 1 if you have the `_acl' function. */
+#undef HAVE__ACL
+
+/* Define to 1 if you have the `_facl' function. */
+#undef HAVE__FACL
+
+/* Define to 1 if you have the `__acl' function. */
+#undef HAVE___ACL
+
+/* Define to 1 if you have the `__facl' function. */
+#undef HAVE___FACL
+
 /* Define to 1 if you have the `__va_copy' function. */
 #undef HAVE___VA_COPY
 
--- old/rsync.1
+++ new/rsync.1
@@ -367,7 +367,7 @@ to the detailed description below for a 
  \-q, \-\-quiet                 suppress non-error messages
      \-\-no\-motd               suppress daemon-mode MOTD (see caveat)
  \-c, \-\-checksum              skip based on checksum, not mod-time & size
- \-a, \-\-archive               archive mode; same as \-rlptgoD (no \-H)
+ \-a, \-\-archive               archive mode; same as \-rlptgoD (no \-H, \-A)
      \-\-no\-OPTION             turn off an implied OPTION (e\&.g\&. \-\-no\-D)
  \-r, \-\-recursive             recurse into directories
  \-R, \-\-relative              use relative path names
@@ -389,6 +389,7 @@ to the detailed description below for a 
  \-p, \-\-perms                 preserve permissions
  \-E, \-\-executability         preserve executability
      \-\-chmod=CHMOD           affect file and/or directory permissions
+ \-A, \-\-acls                  preserve ACLs (implies \-p) [non-standard]
  \-o, \-\-owner                 preserve owner (super-user only)
  \-g, \-\-group                 preserve group
      \-\-devices               preserve device files (super-user only)
@@ -870,7 +871,9 @@ permissions, though the \fB\-\-executabi
 the execute permission for the file\&.
 .IP o 
 New files get their "normal" permission bits set to the source
-file\&'s permissions masked with the receiving end\&'s umask setting, and
+file\&'s permissions masked with the receiving directory\&'s default
+permissions (either the receiving process\&'s umask, or the permissions
+specified via the destination directory\&'s default ACL), and
 their special permission bits disabled except in the case where a new
 directory inherits a setgid bit from its parent directory\&.
 .RE
@@ -908,9 +911,11 @@ The preservation of the destination\&'s 
 directories when \fB\-\-perms\fP is off was added in rsync 2\&.6\&.7\&.  Older rsync
 versions erroneously preserved the three special permission bits for
 newly-created files when \fB\-\-perms\fP was off, while overriding the
-destination\&'s setgid bit setting on a newly-created directory\&.  (Keep in
-mind that it is the version of the receiving rsync that affects this
-behavior\&.)
+destination\&'s setgid bit setting on a newly-created directory\&.  Default ACL
+observance was added to the ACL patch for rsync 2\&.6\&.7, so older (or
+non-ACL-enabled) rsyncs use the umask even if default ACLs are present\&.
+(Keep in mind that it is the version of the receiving rsync that affects
+these behaviors\&.)
 .IP 
 .IP "\fB\-E, \-\-executability\fP"
 This option causes rsync to preserve the
@@ -932,6 +937,16 @@ has a corresponding \&'r\&' permission e
 .IP 
 If \fB\-\-perms\fP is enabled, this option is ignored\&.
 .IP 
+.IP "\fB\-A, \-\-acls\fP"
+This option causes rsync to update the destination
+ACLs to be the same as the source ACLs\&.  This nonstandard option only
+works if the remote rsync also supports it\&.  \fB\-\-acls\fP implies \fB\-\-perms\fP\&.
+.IP 
+Note also that an optimization of the ACL-sending protocol used by this
+version makes it incompatible with sending files to an older ACL-enabled
+rsync unless you double the \fB\-\-acls\fP option (e\&.g\&. \fB\-AA\fP)\&.  This
+doubling is not needed when pulling files from an older rsync\&.
+.IP 
 .IP "\fB\-\-chmod\fP"
 This option tells rsync to apply one or more
 comma-separated "chmod" strings to the permission of the files in the
@@ -1605,8 +1620,8 @@ if the receiving rsync is at least versi
 with older versions of rsync, but that also turns on the output of other
 verbose messages)\&.
 .IP 
-The "%i" escape has a cryptic output that is 9 letters long\&.  The general
-format is like the string \fBYXcstpogz\fP, where \fBY\fP is replaced by the
+The "%i" escape has a cryptic output that is 11 letters long\&.  The general
+format is like the string \fBYXcstpoguax\fP, where \fBY\fP is replaced by the
 type of update being done, \fBX\fP is replaced by the file-type, and the
 other letters represent attributes that may be output if they are being
 modified\&.
@@ -1668,7 +1683,13 @@ sender\&'s value (requires \fB\-\-owner\
 A \fBg\fP means the group is different and is being updated to the
 sender\&'s value (requires \fB\-\-group\fP and the authority to set the group)\&.
 .IP o 
-The \fBz\fP slot is reserved for future use\&.
+The \fBu\fP slot is reserved for reporting update (access) time changes
+(a feature that is not yet released)\&.
+.IP o 
+The \fBa\fP means that the ACL information changed\&.
+.IP o 
+The \fBx\fP slot is reserved for reporting extended attribute changes
+(a feature that is not yet released)\&.
 .RE
 
 .IP