BaseContentService.getEntityAuthzGroups(Reference,String) contains a block of code specifically to treat attachment resources in a special way. This block of code looks like:
if ( m_siteAttachments && (parts.length >= 3) && (parts.equals("attachment")))
String siteId = parts;
if ( m_siteService.siteExists(siteId) )
This code was introduced by security issue SAK-10743, in revision 32520. This check is overly restrictive. It does not allow for a specific attachment to potentially have specific public permissions set for it. A simple change can be made to the above, to add not only the site, but to add back the attachment resource itself to the list of available authorizations. A patch is attached that implements this change.
This issue is related to
SAK-15571, which can not be completed until this change is made.