Index: hurd-0.6/trans/fakeroot.c
===================================================================
--- hurd-0.6.orig/trans/fakeroot.c
+++ hurd-0.6/trans/fakeroot.c
@@ -59,6 +59,8 @@ struct netnode
   unsigned int faked;
 };
 
+#define O_ALLOWED (O_READ | O_WRITE | O_EXEC)
+
 #define FAKE_UID	(1 << 0)
 #define FAKE_GID	(1 << 1)
 #define FAKE_AUTHOR	(1 << 2)
@@ -79,6 +81,11 @@ new_node (file_t file, mach_port_t idpor
 {
   error_t err;
   struct netnode *nn;
+
+  /* XXX: Limit openmodes */
+  if (openmodes > O_ALLOWED)
+    openmodes &= O_ALLOWED; /* works */
+
   *np = netfs_make_node_alloc (sizeof *nn);
   if (*np == 0)
     {
@@ -91,7 +98,12 @@ new_node (file_t file, mach_port_t idpor
     }
   nn = netfs_node_netnode (*np);
   nn->file = file;
-  nn->openmodes = openmodes;
+
+  /* FIXME: Forbid nn->openmodes == 0 and openmodes == 0? */
+  /* XXX: Change nn->openmodes selectively */
+  if (openmodes != nn->openmodes)  /* works */
+    nn->openmodes = openmodes;
+
   if (idport != MACH_PORT_NULL)
     nn->idport = idport;
   else
@@ -207,11 +219,14 @@ check_openmodes (struct netnode *nn, int
 {
   error_t err = 0;
 
-  if (newmodes &~ nn->openmodes)
+  /* XXX: Limit modes */
+  newmodes &= O_ALLOWED;
+  nn->openmodes &= O_ALLOWED;
+  if (~nn->openmodes & newmodes)
     {
       /* The user wants openmodes we haven't tried before.  */
 
-      if (file != MACH_PORT_NULL && (nn->openmodes & ~newmodes))
+      if (file != MACH_PORT_NULL && (nn->openmodes & newmodes )) /* works */
 	{
 	  /* Intersecting sets.
 	     We need yet another new peropen on this node.  */
@@ -237,7 +252,9 @@ check_openmodes (struct netnode *nn, int
 	     the old one.  We can just use it now.  */
 	  mach_port_deallocate (mach_task_self (), nn->file);
 	  nn->file = file;
-	  nn->openmodes = newmodes;
+	  /* XXX: Change nn->openmodes selectively */
+	  //if (newmodes > nn->openmodes)
+	    nn->openmodes = newmodes;
 	}
     }
   else if (file != MACH_PORT_NULL)
@@ -394,7 +411,8 @@ netfs_S_dir_lookup (struct protid *dirus
   else
     {
       pthread_spin_unlock (&netfs_node_refcnt_lock);
-      err = new_node (file, idport, 1, flags, &np);
+      /* XXX: Don't limit flags */
+      err = new_node (file, idport, 1, flags, &np); /* works with limit */
       pthread_mutex_unlock (&dnp->lock);
       if (!err)
 	{