[!GOOS:windows] stop
[!exec:icacls] skip
[!exec:powershell] skip

# Create $WORK\guest and give the Guests group full access.
# Files created within that directory will have different security attributes by default.
mkdir $WORK\guest
exec icacls $WORK\guest /grant '*S-1-5-32-546:(oi)(ci)f'

env TMP=$WORK\guest
env TEMP=$WORK\guest

# Build a binary using the guest directory as an intermediate
cd TestACL
go build -o main.exe main.go
# Build the same binary, but write it to the guest directory.
go build -o $TMP\main.exe main.go

# Read ACLs for the files.
exec powershell -Command 'Get-Acl main.exe | Select -expand AccessToString'
cp stdout $WORK\exe-acl.txt
exec powershell -Command 'Get-Acl main.go | Select -expand AccessToString'
cp stdout $WORK\src-acl.txt
cd $TMP
exec powershell -Command 'Get-Acl main.exe | Select -expand AccessToString'
cp stdout $WORK\guest-acl.txt

cd $WORK

# The executable written to the source directory should have the same ACL as the source file.
cmp $WORK\exe-acl.txt $WORK\src-acl.txt

# The file written to the guest-allowed directory should give Guests control.
grep 'BUILTIN\\Guests\s+Allow' $WORK\guest-acl.txt

# The file written to the ordinary directory should not.
! grep 'BUILTIN\\Guests\s+Allow' $WORK\exe-acl.txt


-- TestACL/go.mod --
module TestACL
-- TestACL/main.go --
package main
func main() {}