Improve WSL Security with Read-Only Filesystem

Posted on Wed 04 October 2023 in linux

By default, all Windows drives are mounted with read & write access (rw) within WSL . Though this is convenient for beginners, it opens up VM shell attacks on your Windows host files.

Instead, we can disable the auto mount feature using wsl.conf and selectively add read-only drives inside the WSL VM using /etc/fstab

Overview

  1. Deactivate "auto mount" in /etc/wsl.conf
  2. Enable fstab using MOUNTfStAB = true in wsl.conf
  3. test config files and mounting work well
  4. reboot the wsl VM to complete the setup

Example WSL Config wsl.conf

Place this inside the /etc/ directory on the WSL VM 

# Automatically mount Windows drive when the distribution is launched
[automount]

# disable auto-mounting of c:
enabled = false

# process fstab entries
mountFsTab = true


# disable launching windows exe files
[interop]
enabled = false
appendWindowsPath = false

Example /etc/fstab

First, make the target directory 

$ mkdir -p /mnt/Users/USERNAME/Downloads

Add the entry to /etc/fstab

#file system                    dir            type    options                         dump    pass
# READ ONLY MOUNTS
c:\\Users\\USERNAME\\Downloads     /mnt/Users/USERNAME/Downloads     drvfs      defaults,ro        0  0

Testing FSTAB Before Launch

Test by un-mounting and re-mounting via fstab

$ umount /mnt/Users/USERNAME/Downloads
$ mount -a  # mount fstab entries
$ ls -l /mnt/Users/USERNAME/Downloads

this should produce no errors and show the expected files at the target directory

Re-launch WSL to Complete Test

OUTSIDE the VM, run wsl --shutdown DISTRO. You can launch the VM by opening a new WSL tab in Windows terminal or via start menu

More Information on WSL-Conf

Full details on the wsl config file can be found on MS' Documentation for wsl.config

wsl windows linux