POSIX ACLs require the 3 standard ACEs: USER_OBJ, GROUP_OBJ, and OTHER. But if you clear all the ALLOW and DENY bits in the Security tab for a file, Windows doesn't send them at all. Currently, the ensure_canon_entry_valid routine in posix_acls.c makes sure all 3 are valid. If they don't exist, it reads the existing ACE and uses it. That makes it impossible to, for example, clear all the bits for "Everyone" (aka, OTHER). If you clear them all, Windows doesn't send any OTHER ACE and ensure_canon_entry_valid replaces it with whatever was there before; hence it's not changed. There could be a number of ways to resolve this, but the way it is now doesn't seem right.
Duplicate of #106 (Enter key bounced -- sorry.)
*** This bug has been marked as a duplicate of 106 ***
originally reported against 3.0aph24. Bugzilla spring cleaning. Removing old alpha versions.