Access-based enumeration not respected by Opus 10

Hello,

I am having a problem with Directory Opus 10.5 not respecting 'access based enumeration' on my network shares. I am including a couple of screen captures that show a user seeing folders that access based enumeration should be hiding from them (Windows Explorer does hide them all the time) as well as what the user sees AFTER refreshing the file list window. You can see that a few of the folders disappear from the list after the list is refreshed.

My guess is that I think the "extra" folders appear when someone else who does have access to those folders puts some content in them. Opus seems to be detecting that content update and then lists them even though the access-based enumeration feature is turned on for the network share.

I look forward to your reply.

Jason

362f4aa2e7009e1c58009b6c4027a3f6cf6d123e.png795×493 59.6 KB

This feature appears to be implemented at the SMB level and is not supported by the higher-level functions that Opus uses (i.e. FindFirstFile, etc).

Thanks for the quick reply. Are you saying I shouldn't expect Opus to respect access based enumeration?

Jason

Not currently, no.

ok, that's sort of obvious, I guess. Really what I'm getting at is that I -do- expect Directory Opus to respect access based enumeration. More accurately, I -need- it to do so.

Since it doesn't do so currently, I'm making a request that this be added to a future release as soon as possible. I hope it's something that's not too hard to include. It's been a feature of Windows Server since Win2k3 Service Pack 1.

I realize that this feature is probably of very little consequence to a home user. Maybe that's why it doesn't currently support it. However, I think Opus is such an awesome file manager that everyone should use it, especially in a corporate environment. Obviously, in a corporate environment it not desirable for the file manager to override (even briefly) decisions made by network administrators.

In the long run my corporate usage of Directory Opus could end if it doesn't respect access based enumeration. That would be a very difficult adjustment for me and my corporate users to make. The entire company has used it for many years and we all love it.

We use access based enumeration to prevent users from being able to see folders that they have no access to and shouldn't even know exist. In some situations, even seeing that a folder exists can be a confidentiality breach (unless your folder names are complete nonsense but who could live like that?).

Thanks for your help with this.

Opus is awesome and GP Software has my eternal gratitude for creating it!

Jason

Just out of interest, why does it matter if they do actually have no access to the folders?

Sorry, I didn't see your question until now. It matters because seeing the name of the folder even if they don't have access to it can itself be a confidentiality breach. Imagine a user from client A logs on and instead of only seeing the 'Client A' folder they sometimes also see a 'Client B' folder. Client A then knows that you work with client B. That sort of information is often times something that Client B doesn't want you to expose and sometimes contractually binds you to a statement that you won't expose it. Like I said in an earlier post you can get around it by using folder names that are essentially meaningless but who could operate that way?

It wouldn't surprise me to learn that the question of whether DO supported Access Based Enumeration or not was never fully considered given that I think it's primary market has always been consumers not enterprise customers. It's my opinion that EVERYONE including, and perhaps especially, enterprise customers should be using DO. If you're not targeting corporate customers, you're missing a market that I think would really like the product.

In any case...

I think it's reasonable to expect that Directory Opus wouldn't undermine Windows File Sharing features. As such, I'm requesting that a future version of Directory Opus support/respect (however you want to view it) Access Based Enumeration, as soon as possible.

I've said on here many times and to anyone who ever asks me what file manager is it that I'm using that DO is AWESOME! I still think that but this is a very important issue for current and future corporate customers, in my opinion. Without this I'm not sure I can continue to use it in the long run and that's a very difficult thing to contemplate. Because it's so awesome, I've made it a very central part of how our entire company operates since we started using it probably close to a decade ago.

Thanks!

Jason

If there's a confidentiality issue that legally requires people not to know of folder names they don't have access to, this Windows feature can't do the job properly, since the legally sensitive information is leaking out of it. If Opus is showing it, other tools could as well. It looks like a bug in Windows since the folder names are being filtered out of what some APIs report but not others.

For what it's worth, turning off Preferences / File Operations / Options / Detect external file changes on network drives may stop the folders showing up, but will of course also disable automatic updates on network drives entirely, so people would need to push F5 to see changes. (And they'd be able to turn the option back on to start seeing the folders again.)

I follow this thread with interest. I never heard of ABE before, it sounds like it a feature every admin should enable. I deal with shares and hundreds of subfolders I have no access to at work at least, so just for convenience this seems to be a good thing.

But if you read some articles about ABE on the net, you quickly get to know its limits. The biggest seems to be that ABE does not apply for administrative accounts, and it does not apply if you log on to a machine and it's filesystem and also not for an actual share you have no access to etc. etc. So obviously, this is not meant to really protect users from seeing folders they don't have access to. It is what it is, a convenience thing for users and admins, which possibly get lesser requests to enable access on certain folders, because users interest will not be triggered for things they cannot see. o)

This is quite nicely written: sreerajnair.com/2010/08/08/hidin ... ation-abe/

I'm curious if folders are hidden if you open a DOS prompt and dir them, or open firefox/opera/chrome and visit file:/// etc.

[quote="leo"]If there's a confidentiality issue that legally requires people not to know of folder names they don't have access to, this Windows feature can't do the job properly, since the legally sensitive information is leaking out of it. If Opus is showing it, other tools could as well. It looks like a bug in Windows since the folder names are being filtered out of what some APIs report but not others.

For what it's worth, turning off Preferences / File Operations / Options / Detect external file changes on network drives may stop the folders showing up, but will of course also disable automatic updates on network drives entirely, so people would need to push F5 to see changes. (And they'd be able to turn the option back on to start seeing the folders again.)[/quote]

Leo,

Thanks for the reply. As tbone points out, it's not a foolproof feature, and I didn't mean to imply that I expected it to be foolproof. I was just trying to illuminate why it matters that the file manager not show them the folders they don't have access to. I inadvertently introduced complications to this discussion which need not be part of the discussion. Please disregard any 'legal' aspects of the issue.

What I'm looking for is for the file manager not to show them the folders they don't have access to when access based enumeration is enabled on the network share. As tbone mentions convenience for the user is another benefit of access based enumeration. I agree that's a useful benefit for sure. I've always believed that the main one was to prevent users from easily knowing about the existence of folders that they don't have access to but I guess I could have that backwards. In any case, preventing their easy knowledge of the existence of the folder is as far as I need to take it. I'm not trying to deal with a determined and knowledgable user intent on circumventing the feature. If I have such a user, I have bigger problems.

I'm definitely not suggesting that Opus stop using the advanced functions that aren't aware of access based enumeration. I'm no Windows programmer by any means but I do program in other environments and I have tried to think about the 'cost' of what I'm asking, as much as I can imagine it, versus the benefit. I think of it as a filter (I don't mean a filter in the way of a file filter in the Opus GUI) which would be applied by Opus to any function call that returns folders (and their contents, when applicable) to the user. If the folder isn't returned by a call that respects access based enumeration then it's filtered out of the results before they're returned to the user.

I think it's reasonable to expect that Opus respect the presence of access based enumeration on a network share. Respectfully, I don't really see the argument against it. If I'm missing something and you have an argument for not respecting access based enumeration, please fill me in. I'm open to the idea that I'm missing something but I do need to know what it is. I'm really trying to make what I think is a reasonable request reasonably. If it's not coming across that way, please forgive my inability to get that across.

As you point out, I think that disabling Preferences / File Operations / Options / Detect external file changes on network drives would probably have an effect but the consequences of turning that feature off are not very desirable and the user could easily turn it back on unless I could somehow lock down their Opus configuration without creating other problems.

As ever, Opus is awesome and I'm in your debt for your work on this fabulous program.

If you would like, I could arrange to call you to discuss this, if you think it would be helpful.

Thanks,

Jason

I meant to point out that Windows Explorer never shows the folders that users don't have access to when access based enumeration is enabled. That's the reason I was surprised to find that Opus was showing them sometimes. It never occurred to me that it would do that until I saw it happening.

Unrelated point: it would be great if posts could be edited by the poster. I don't see any way to edit a post once it's made.

Jason

Further clarification: I only expect Opus to respect access based enumeration as much as Windows Explorer respects it.

Jason

In the next update we'll fix this problem (that is, file change notification causing folders that should be hidden to appear in the file lists). Note that Opus 10 is no longer being updated so this fix will only be in Opus 11.

Awesome! So you're thinking it should be addressed Opus 11.8?

Thanks.

Jason

Yes most likely, however there'll be a beta released before then if you want to try it earlier.

The new beta (11.7.2) with this fix in it is now available, if you'd like to try it.

Thanks!!!...I just noticed that today when I got an alert about 11.7.3.

Installing the latest release on my own PC now to check it out. Thanks for the quick handling of this. I'll let you know if find any apparent problems.

Jason

Sorry, I have been meaning to update this topic for quite a while now.

Is it expected that ABE is functional in Directory Opus 11.10 (that's the version I'm currently on)? I'm still seeing that when the contents of folders that people don't have access to are changed those folders are listed in the File List window until that window is refreshed. This seems to be exactly what was happening before ABE was added to Directory Opus in an earlier Directory Opus 11 update.

I look forward to your reply,

Thanks,

Jason

Out of curiosity, does your network use Distributed File System namespaces? If so, ABE isn't enabled by default on DFS namespaces. msdn.microsoft.com/en-us/librar ... px#BKMK_UI

I don't use DFS. ABE is enabled on the shares. The problem I'm still having is described in the earlier posts.