Improve WSL Security with Read-Only Filesystem
By default, all Windows drives are mounted with read & write access (rw) within WSL . Though this is convenient for beginners, it opens up VM shell attacks on your Windows host files.
Instead, we can disable the auto mount feature using wsl.conf
and selectively
add read-only drives inside the WSL VM using /etc/fstab
Overview
- Deactivate “auto mount” in
/etc/wsl.conf
- Enable fstab using
MOUNTfStAB = true
inwsl.conf
- test config files and mounting work well
- reboot the wsl VM to complete the setup
Example WSL Config wsl.conf
Place this inside the /etc/ directory on the WSL VM
# Automatically mount Windows drive when the distribution is launched
[automount]
# disable auto-mounting of c:
enabled = false
# process fstab entries
mountFsTab = true
# disable launching windows exe files
[interop]
enabled = false
appendWindowsPath = false
Example /etc/fstab
First, make the target directory
$ mkdir -p /mnt/Users/USERNAME/Downloads
Add the entry to /etc/fstab
#file system dir type options dump pass
# READ ONLY MOUNTS
c:\\Users\\USERNAME\\Downloads /mnt/Users/USERNAME/Downloads drvfs defaults,ro 0 0
Testing FSTAB Before Launch
Test by un-mounting and re-mounting via fstab
$ umount /mnt/Users/USERNAME/Downloads
$ mount -a # mount fstab entries
$ ls -l /mnt/Users/USERNAME/Downloads
this should produce no errors and show the expected files at the target directory
Re-launch WSL to Complete Test
OUTSIDE the VM, run wsl --shutdown DISTRO
. You can launch the VM by opening a new
WSL tab in Windows terminal or via start menu
More Information on WSL-Conf
Full details on the wsl config file can be found on MS’ Documentation for wsl.config