By default make files and folders you have no rights to see hidden over SMB

Problem/Justification
It seems like in the transition from CORE to SCALE a significant difference on how hidden files and folders act over SMB has appeared. In SCALE by default files and folders you have no rights to see appear (albeit you can’t actually access them just read the file/folder names). In CORE this was not the case and something I had personally (and all my users) assumed was normal behaviour. As I raise in this thread Difference in SMB Share Behaviour Between CORE and SCALE this is not only a regression from CORE but also IMO introduces significant risks and confusion for users. Files and their attributes (including their names) may contain sensitive information both concerning the file itself and also on the existence and intention of those who are allowed to access them. You are able to solve this issue by adding the line hide unreadable = yes to SMB global. Some concerns were raised around the potential performance impact of doing this due to the differences in the kernels but as you will see in the above thread my testing suggests not. In fact it accidentally highlights the huge performance benefits SCALE brings for directory listing over CORE.

Impact
By addressing this issue not only will CORE users have a smoother transition to SCALE as functionality will stay the same but it will also keep potentially sensitive information secure and limited to only those that have access.

User Story
My ideal would be that this would become default behaviour as it seems most people would assume this however at the very least could we introduce and easy switch that would allow users to activate if needed. TrueNAS has clearly had a keen focus on security over the last couple of years in particular which is great therefore I believe if you didn’t apply this ‘feature’ it would be a step backwards in that regard.

3 Likes

Does anyone know what a Windows Server does for this issue? In general, that probably defines industry-standard behaviour.

Current workaround is:

If your CORE deployment assumes this behavior, please upvote.

2 Likes

On a Windows server sharing over SMB if you do not have at least Read permissions on a file or folder you will not see it in the directory listing. This is because Windows will hide files and folders you don’t have access to by default.

1 Like