Huge Security Problem

Hello Will,

Reporting here a huge security risk and issue.
Just reported and opened a ticket with Synology about it.

Do you have any info from your side about this one?
Topic just here:

My case:

I’m on the last 7.2 DSM version.

  1. With an ADMIN account.

Go to:
Control Panel > Shared Folder > Edit “homes”

“Enable Recycle Bin”
“Restrict access to administrators only”

  1. With an USER account.

Go to:


One can delete “#recycle” folder and/or any files within this folder, even when “Restrict access to administrators only” is checked.

Moreover, the ADMIN account can see this delete action in the logs, but the ADMIN can’t recover the deleted “#recycle” folder in “homes/#recycle” nor any files inside of it.

By the way, all these “#recycle” folders inside each “homes” have “Everyone” permissions with full rights! Huge security issue.



@Will sorry to ping you here, but it looks like it’s a bug. I’ve asked several people if they can try it, they’re concerned too. Could you give it a quick try when you have the time?

To make it short: individual users shouldn’t access the #recycle in their “home” and delete anything from once “Enable Recycle Bin” and “Restrict access to administrators only” is ticked for “homes”.

Thanks for your time! :heart:

If you can reliably reproduce this, submit your finding to Synology.

Yes I can. Yes it was submitted but I wanted to know if there’re other people having this issue.

That is really interesting!

For me I very rarely ever use the home folder.

What I would do for now to mitigate this would be to enable snapshots on the homes folder. This way you can still undo whatever.

I would also submit a bug report to Synology! seems like an edge case they never really built out

Thanks Will.

I would love to completely drop the “home” folder as it’s looking somehow not finished. Unfortunately, we have to use it with Drive & Photos if I’m not mistaken.

Yep the snapshots trick will be the next step (thanks to your fantastic video about it).

The issue got escalated to the developers by a Synology Technician, I’ll let you know here as soon as I get any news.

Hey guys,

A quick update here as I’ve got a reply from the developers.

They say that if Restrict access to administrator only is ticked, it will be applied to /homes/#recycle only.

Meaning that this is the expected behavior.
Things make sense: user’s home folders are their own. If they decide to empty their Bins, it’s up to them. To keep the feature to restore files > Replication.

Anyway, that would be nice to add a warning there as it may be somehow confusing.