permcheck: fix nil entries

internal/permcheck/security_windows.go

@@ -72,16 +72,23 @@ func rangeACEs(dacl *windows.ACL, f aceFunc) (err error) {
 }
 
 // setSecurityInfo sets the security information on the specified file, using
-// ents to create a discretionary access control list.  Both owner and ents can
-// be nil, in which case the corresponding information is not set.
+// ents to create a discretionary access control list.  Either owner or ents can
+// be nil, in which case the corresponding information is not set, but at least
+// one of them should be specified.
 func setSecurityInfo(fname string, owner *windows.SID, ents []windows.EXPLICIT_ACCESS) (err error) {
 	var secInfo windows.SECURITY_INFORMATION
 
+	var acl *windows.ACL
 	if len(ents) > 0 {
 		// TODO(e.burkov):  Investigate if this whole set is necessary.
 		secInfo |= windows.DACL_SECURITY_INFORMATION |
 			windows.PROTECTED_DACL_SECURITY_INFORMATION |
 			windows.UNPROTECTED_DACL_SECURITY_INFORMATION
+
+		acl, err = windows.ACLFromEntries(ents, nil)
+		if err != nil {
+			return fmt.Errorf("creating access control list: %w", err)
+		}
 	}
 
 	if owner != nil {
@@ -92,11 +99,6 @@ func setSecurityInfo(fname string, owner *windows.SID, ents []windows.EXPLICIT_A
 		return errors.Error("no security information to set")
 	}
 
-	acl, err := windows.ACLFromEntries(ents, nil)
-	if err != nil {
-		return fmt.Errorf("creating access control list: %w", err)
-	}
-
 	err = windows.SetNamedSecurityInfo(fname, objectType, secInfo, owner, nil, acl, nil)
 	if err != nil {
 		return fmt.Errorf("setting security info: %w", err)