Is it safe to leave Group - builtin_users Allow on private datasets that are not SMB shared but have nested datasets that are shared

[Nested Data]

I'm building a new pool and my dataset organization structure goes 3 levels deep with nested datasets. All bottom level datasets are private with ACL permissions setup so just users specific for those datasets can access them. Each bottom level dataset has its own SMB share setup. The upper level datasets are just for organization and are not shared.

When I created the upper level datasets I made them all SMB type just incase I ever needed to share them in the future. Those upper level dataset permissions by default include "Group - builtin_users Allow" which would grant all users access to that dataset if it was shared via SMB. I tried deleting "Group - builtin_users Allow" from the ACL but Truenas wont let me. Is this a security risk. The upperlevel dataset is not shared but nested dataset within it are. Could a user with access to a nested dataset somehow work their way up into the non shared upper level dataset and take advantage of these permissions?

 

[Tazlord]

It's strange that you can't delete the builtin_users ACL entry. I am able to delete them from my SMB datasets.

As far as it being a security risk, the builtin_users group does not have any members by default. I guess that makes it sorta less of a security risk. However, I have not been able to find a single straight forward answer as to why it even exists and why it's automatically added to SMB datasets. Like I mentioned, I just delete them on my datasets and set my ACL as I need and it all works fine.

Just out of curiosity, if I'm understanding your structure correctly, why don't you just create a "Home" dataset and enable the "Use as home dirs" advanced option in the SMB share properties? This will allow TrueNAS to automatically generate home dirs for any users you add to the system that have the "Home Directory" path and "Create Home DIrectory" option set in the user profile config. All permissions will be set automatically to not allow anyone except that user access to their home dir, if that's what you're trying to accomplish.