I just noticed that setting a very restrictive ACL on a directory/file since 4.19.3 does not prevent the dir/file from being shown in directory listings anymore. This used to work up to 4.19.2. This could be an information leak. Ie, I have a share containing 3 directories where "notshown" have a very restrictive ACL that prevents metadata information about the directory to be read: root@filur00:/export/test # ls -l total 2 drwx------+ 2 root wheel 2 Feb 22 11:40 notshown drwx------+ 2 peter86 employee-liu.se 2 Feb 15 09:02 peter86 drwxr-x--- 2 root wheel 2 Feb 22 11:49 unreadable root@filur00:/export/test # lac peter86 # file: peter86 # owner: peter86 # group: employee-liu.se owner@:rwxpDdaARWcCos:fd-----:allow everyone@:------a-R-c--s:fd-----:allow root@filur00:/export/test # lac unreadable # file: unreadable # owner: root # group: wheel owner@:rwxp--aARWcCos:-------:allow group@:r-x---a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow root@filur00:/export/test # lac notshown # file: notshown # owner: root # group: wheel owner@:rwxpDdaARWcCos:fd-----:allow everyone@:--------------:fd-----:allow At Samba <= 4.19.2 it works as intended: smb: \> dir . D 0 Thu Feb 22 11:49:36 2024 .. D 0 Thu Feb 22 11:49:36 2024 peter86 D 0 Thu Feb 15 09:02:48 2024 unreadable D 0 Thu Feb 22 11:49:36 2024 18472019379 blocks of size 1024. 18472019216 blocks available At Samba >= 4.19.3 it displays the directory: smb: \> dir . D 0 Thu Feb 22 11:49:36 2024 .. D 0 Thu Feb 22 11:49:36 2024 peter86 D 0 Thu Feb 15 09:02:48 2024 unreadable D 0 Thu Feb 22 11:49:36 2024 notshown D 0 Thu Feb 22 11:40:27 2024 18472019489 blocks of size 1024. 18472019326 blocks available I've tried the setting "hide unreadable = yes" but that hides all unreadable dirs/files (ie also the "unreadable" directory), which we don't want - only the ones with an ACL explicitly forbidding the reading of dir/file metadata should be hidden.
https://bugzilla.samba.org/show_bug.cgi?id=15093 Note to self: Always read *all* the release notes. Always. Ok, so this is an intentional change. Drat. Ok, then I'll have to figure out some other way to hide directories...