DEV Community

Tony Metzidis
Tony Metzidis

Posted on • Originally published at tonym.us on

Improve WSL Security with Read-Only Filesystem

Originally on tonym.us

By default, all Windows drives are mounted with read & write access (rw) within WSL . Though this is convenient for beginners, it opens up VM shell attacks on your Windows host files.

Instead, we can disable the auto mount feature using wsl.conf and selectively add read-only drives inside the WSL VM using /etc/fstab

Overview

  1. Deactivate "auto mount" in /etc/wsl.conf
  2. Enable fstab using MOUNTfStAB = true in wsl.conf
  3. test config files and mounting work well
  4. reboot the wsl VM to complete the setup

Example WSL Config wsl.conf

Place this inside the /etc/ directory on the WSL VM

# Automatically mount Windows drive when the distribution is launched
[automount]

# disable auto-mounting of c:
enabled = false

# process fstab entries
mountFsTab = true

# disable launching windows exe files
[interop]
enabled = false
appendWindowsPath = false

Enter fullscreen mode Exit fullscreen mode

Example /etc/fstab

First, make the target directory

$ mkdir -p /mnt/Users/USERNAME/Downloads

Enter fullscreen mode Exit fullscreen mode

Add the entry to /etc/fstab

#file system dir type options dump pass
# READ ONLY MOUNTS
c:\\Users\\USERNAME\\Downloads /mnt/Users/USERNAME/Downloads drvfs defaults,ro 0 0

Enter fullscreen mode Exit fullscreen mode

Testing FSTAB Before Launch

Test by un-mounting and re-mounting via fstab

$ umount /mnt/Users/USERNAME/Downloads
$ mount -a # mount fstab entries
$ ls -l /mnt/Users/USERNAME/Downloads

Enter fullscreen mode Exit fullscreen mode

this should produce no errors and show the expected files at the target directory

Re-launch WSL to Complete Test

OUTSIDE the VM, run wsl --shutdown DISTRO. You can launch the VM by opening a new WSL tab in Windows terminal or via start menu

More Information on WSL-Conf

Full details on the wsl config file can be found on MS' Documentation for wsl.config

Top comments (0)