Problem/Justification
It seems like in the transition from CORE to SCALE a significant difference on how hidden files and folders act over SMB has appeared. In SCALE by default files and folders you have no rights to see appear (albeit you can’t actually access them just read the file/folder names). In CORE this was not the case and something I had personally (and all my users) assumed was normal behaviour. As I raise in this thread Difference in SMB Share Behaviour Between CORE and SCALE this is not only a regression from CORE but also IMO introduces significant risks and confusion for users. Files and their attributes (including their names) may contain sensitive information both concerning the file itself and also on the existence and intention of those who are allowed to access them. You are able to solve this issue by adding the line hide unreadable = yes to SMB global. Some concerns were raised around the potential performance impact of doing this due to the differences in the kernels but as you will see in the above thread my testing suggests not. In fact it accidentally highlights the huge performance benefits SCALE brings for directory listing over CORE.
Impact
By addressing this issue not only will CORE users have a smoother transition to SCALE as functionality will stay the same but it will also keep potentially sensitive information secure and limited to only those that have access.
User Story
My ideal would be that this would become default behaviour as it seems most people would assume this however at the very least could we introduce and easy switch that would allow users to activate if needed. TrueNAS has clearly had a keen focus on security over the last couple of years in particular which is great therefore I believe if you didn’t apply this ‘feature’ it would be a step backwards in that regard.
On a Windows server sharing over SMB if you do not have at least Read permissions on a file or folder you will not see it in the directory listing. This is because Windows will hide files and folders you don’t have access to by default.
I previously used SMB with a QNAP NAS, so not Windows Server, unfortunately. However, I can confirm that users, on connecting to a QNAP NAS’ SMB service from a remote Mac machine, only saw the shares they had access to.
Presently, in TrueNAS, a connecting user sees every share, even the ones they cannot access.
I’ve got Access-Based Share Enumeration enabled, but it doesn’t seem to actually hide anything.
No. The cli command interacts with the middleware. I’m not sure why this option (apparently) isn’t exposed through the GUI, but this method should still be safe.
My apologies. I’ve been having issues with ABSE not working to hide the shares. I need to do some experimentation once I’ve updated to 25.04 to see if that’s still a problem.
Sorry for derailing the FR a bit. But, thanks for sharing the command for enabling hiding individual files. Glad to have learned about that and how the service command works with the middleware.
Hello, I met same problem. Have you any updates with solving?
I tried midclt call smb.update '{"smb_options": "hide unreadable = Yes"}', and option appends in smb4.conf, but still don`t work.
Hang on. This feature request is about not being able to see directories within a share that you don’t have access to. Are we talking about the same thing?
Let me explain a little better. Bob has access to Shared123 but does not have access to a directory in Shared123 called ‘Secret’ however he can still see it. Is this your issue?