By default make files and folders you have no rights to see hidden over SMB

Problem/Justification
It seems like in the transition from CORE to SCALE a significant difference on how hidden files and folders act over SMB has appeared. In SCALE by default files and folders you have no rights to see appear (albeit you can’t actually access them just read the file/folder names). In CORE this was not the case and something I had personally (and all my users) assumed was normal behaviour. As I raise in this thread Difference in SMB Share Behaviour Between CORE and SCALE this is not only a regression from CORE but also IMO introduces significant risks and confusion for users. Files and their attributes (including their names) may contain sensitive information both concerning the file itself and also on the existence and intention of those who are allowed to access them. You are able to solve this issue by adding the line hide unreadable = yes to SMB global. Some concerns were raised around the potential performance impact of doing this due to the differences in the kernels but as you will see in the above thread my testing suggests not. In fact it accidentally highlights the huge performance benefits SCALE brings for directory listing over CORE.

Impact
By addressing this issue not only will CORE users have a smoother transition to SCALE as functionality will stay the same but it will also keep potentially sensitive information secure and limited to only those that have access.

User Story
My ideal would be that this would become default behaviour as it seems most people would assume this however at the very least could we introduce and easy switch that would allow users to activate if needed. TrueNAS has clearly had a keen focus on security over the last couple of years in particular which is great therefore I believe if you didn’t apply this ‘feature’ it would be a step backwards in that regard.

5 Likes

Does anyone know what a Windows Server does for this issue? In general, that probably defines industry-standard behaviour.

Current workaround is:

If your CORE deployment assumes this behavior, please upvote.

3 Likes

On a Windows server sharing over SMB if you do not have at least Read permissions on a file or folder you will not see it in the directory listing. This is because Windows will hide files and folders you don’t have access to by default.

1 Like

Out of interest did this get addressed or is there a plan to address it or will it remain a SCALE/COMMUNITY ‘Feature’?

I previously used SMB with a QNAP NAS, so not Windows Server, unfortunately. However, I can confirm that users, on connecting to a QNAP NAS’ SMB service from a remote Mac machine, only saw the shares they had access to.

Presently, in TrueNAS, a connecting user sees every share, even the ones they cannot access.

I’ve got Access-Based Share Enumeration enabled, but it doesn’t seem to actually hide anything.

To fix this:

Awesome! Thanks for making sure I saw this.

You’d think I would have noticed it up-thread, but it’s been that kind of week, I guess.

Are there any issues with using the CLI for this? It looks like the standard service command. Doesn’t that bypass the middleware?

No. The cli command interacts with the middleware. I’m not sure why this option (apparently) isn’t exposed through the GUI, but this method should still be safe.

1 Like

Awesome. I’ll try this today.

Though, now I’m curious what the difference is between this, and Access Based Share Enumeration, which is in the GUI.

Access Based Share Enumeration controls whether a user can see the advertised share based on if they have access or not.

The issue above is around users having access to the share but not necessarily the entire contents.

2 Likes

Oh!

My apologies. I’ve been having issues with ABSE not working to hide the shares. I need to do some experimentation once I’ve updated to 25.04 to see if that’s still a problem.

Sorry for derailing the FR a bit. But, thanks for sharing the command for enabling hiding individual files. Glad to have learned about that and how the service command works with the middleware. :slight_smile:

1 Like

Hello, I met same problem. Have you any updates with solving?
I tried midclt call smb.update '{"smb_options": "hide unreadable = Yes"}', and option appends in smb4.conf, but still don`t work.

Try this instead.

  1. From the shell run cli
  2. service smb update smb_options=“hide unreadable = yes”

Can’t recall if the service needs restarting or not so give that a try also.

1 Like

Are you sure there isn’t a missing underscore in there? Maybe hide_unreadable = yes ?

No underscore needed from what I can recall. Just tried it again on a test system and working fine however I’m still running EE.

You could try midclt call smb.update '{"smb_options": {"hide unreadable": "Yes"}}'
Im sure the service needs a restart after also.

Don’t forget to vote above if you think this should be standard behaviour in TN or at the very least have a UI switch to enable.

I have this string in my smb4.conf, but user still can see non-accessible shares.

here part of my smb4.conf:

root@truenas[/var/empty]# cat /etc/smb4.conf

SMB.CONF(5) The configuration file for the Samba suite

[global]
------------omited------------
hide unreadable = Yes
registry shares = True
include = registry
root@truenas[/var/empty]#

Have you applied any other aux parameters?

Have you restarted the service?

Has your client machine re-connected?

Hang on. This feature request is about not being able to see directories within a share that you don’t have access to. Are we talking about the same thing?

Let me explain a little better. Bob has access to Shared123 but does not have access to a directory in Shared123 called ‘Secret’ however he can still see it. Is this your issue?