diff --git a/winsup/cygwin/sec_acl.cc b/winsup/cygwin/sec_acl.cc
index 64d183c48..4a47d22b1 100644
--- a/winsup/cygwin/sec_acl.cc
+++ b/winsup/cygwin/sec_acl.cc
@@ -809,7 +809,6 @@ get_posix_access (PSECURITY_DESCRIPTOR psd,
 			  aclsid[pos] = well_known_null_sid;
 			}
 		      has_class_perm = true;
-		      standard_ACEs_only = false;
 		      class_perm = lacl[pos].a_perm;
 		    }
 		  if (ace->Header.AceFlags & SUB_CONTAINERS_AND_OBJECTS_INHERIT)
@@ -1013,6 +1012,21 @@ get_posix_access (PSECURITY_DESCRIPTOR psd,
 	    }
 	}
     }
+  /* If this is a just created file, and this is an ACL with only standard
+     entries, or if standard POSIX permissions are missing (probably no
+     inherited ACEs so created from a default DACL), assign the permissions
+     specified by the file creation mask.  The values get masked by the
+     actually requested permissions by the caller per POSIX 1003.1e draft 17. */
+  if (just_created)
+    {
+      mode_t perms = (S_IRWXU | S_IRWXG | S_IRWXO) & ~cygheap->umask;
+      if (standard_ACEs_only || !saw_user_obj)
+	lacl[0].a_perm = (perms >> 6) & S_IRWXO;
+      if (standard_ACEs_only || !saw_group_obj)
+	lacl[1].a_perm = (perms >> 3) & S_IRWXO;
+      if (standard_ACEs_only || !saw_other_obj)
+	lacl[2].a_perm = perms & S_IRWXO;
+    }
   /* If this is an old-style or non-Cygwin ACL, and secondary user and group
      entries exist in the ACL, fake a matching CLASS_OBJ entry. The CLASS_OBJ
      permissions are the or'ed permissions of the primary group permissions
@@ -1041,21 +1055,6 @@ get_posix_access (PSECURITY_DESCRIPTOR psd,
       lacl[pos].a_perm = lacl[1].a_perm; /* == group perms */
       aclsid[pos] = well_known_null_sid;
     }
-  /* If this is a just created file, and this is an ACL with only standard
-     entries, or if standard POSIX permissions are missing (probably no
-     inherited ACEs so created from a default DACL), assign the permissions
-     specified by the file creation mask.  The values get masked by the
-     actually requested permissions by the caller per POSIX 1003.1e draft 17. */
-  if (just_created)
-    {
-      mode_t perms = (S_IRWXU | S_IRWXG | S_IRWXO) & ~cygheap->umask;
-      if (standard_ACEs_only || !saw_user_obj)
-	lacl[0].a_perm = (perms >> 6) & S_IRWXO;
-      if (standard_ACEs_only || !saw_group_obj)
-	lacl[1].a_perm = (perms >> 3) & S_IRWXO;
-      if (standard_ACEs_only || !saw_other_obj)
-	lacl[2].a_perm = perms & S_IRWXO;
-    }
   /* Ensure that the default acl contains at least
      DEF_(USER|GROUP|OTHER)_OBJ entries.  */
   if (types_def && (pos = searchace (lacl, MAX_ACL_ENTRIES, 0)) >= 0)
diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc
index 7894a6038..819e43d86 100644
--- a/winsup/cygwin/security.cc
+++ b/winsup/cygwin/security.cc
@@ -449,6 +449,7 @@ set_created_file_access (HANDLE handle, path_conv &pc, mode_t attr)
   tmp_pathbuf tp;
   aclent_t *aclp;
   int nentries, idx;
+  bool std_acl;
 
   if (!get_file_sd (handle, pc, sd, true))
     {
@@ -457,8 +458,8 @@ set_created_file_access (HANDLE handle, path_conv &pc, mode_t attr)
 	attr |= S_IFDIR;
       attr_rd = attr;
       aclp = (aclent_t *) tp.c_get ();
-      if ((nentries = get_posix_access (sd, &attr_rd, &uid, &gid,
-					aclp, MAX_ACL_ENTRIES)) >= 0)
+      if ((nentries = get_posix_access (sd, &attr_rd, &uid, &gid, aclp,
+					MAX_ACL_ENTRIES, &std_acl)) >= 0)
 	{
 	  if (S_ISLNK (attr))
 	    {
@@ -466,8 +467,7 @@ set_created_file_access (HANDLE handle, path_conv &pc, mode_t attr)
 	      aclp[0].a_perm = (attr >> 6) & S_IRWXO;
 	      if ((idx = searchace (aclp, nentries, GROUP_OBJ)) >= 0)
 		aclp[idx].a_perm = (attr >> 3) & S_IRWXO;
-	      if (nentries > MIN_ACL_ENTRIES
-		  && (idx = searchace (aclp, nentries, CLASS_OBJ)) >= 0)
+	      if ((idx = searchace (aclp, nentries, CLASS_OBJ)) >= 0)
 		aclp[idx].a_perm = (attr >> 3) & S_IRWXO;
 	      if ((idx = searchace (aclp, nentries, OTHER_OBJ)) >= 0)
 		aclp[idx].a_perm = attr & S_IRWXO;
@@ -477,10 +477,10 @@ set_created_file_access (HANDLE handle, path_conv &pc, mode_t attr)
 	      /* Overwrite ACL permissions as required by POSIX 1003.1e
 		 draft 17. */
 	      aclp[0].a_perm &= (attr >> 6) & S_IRWXO;
-	      if (nentries > MIN_ACL_ENTRIES
-		  && (idx = searchace (aclp, nentries, CLASS_OBJ)) >= 0)
+	      if ((idx = searchace (aclp, nentries, CLASS_OBJ)) >= 0)
 		aclp[idx].a_perm &= (attr >> 3) & S_IRWXO;
-	      else if ((idx = searchace (aclp, nentries, GROUP_OBJ)) >= 0)
+	      if (std_acl
+		  && (idx = searchace (aclp, nentries, GROUP_OBJ)) >= 0)
 		aclp[idx].a_perm &= (attr >> 3) & S_IRWXO;
 	      if ((idx = searchace (aclp, nentries, OTHER_OBJ)) >= 0)
 		aclp[idx].a_perm &= attr & S_IRWXO;