WSL mounted file permissions

In my testing of WSL as a possible replacement for the git-for-windows bash and quasi-unix work environment, I have set up a symlink within WSL for my /home/me/.ssh/ directory to the corresponding /mnt/c/users/me/.ssh/ direcory. Not too surprisingly (since ssh is strict on dir/file permissions), this does not work:

me@d2book:~$ ssh myth
Bad owner or permissions on /home/me/.ssh/config

me@d2book:~$ ll -d .ssh .ssh/config
lrwxrwxrwx 1 me   me     20 Oct 16 13:12 .ssh -> /mnt/c/Users/me/.ssh/
-rwxrwxrwx 1 root root 6335 Dec  5 07:47 .ssh/config*

I might create the files in linux and then find a way to link from windows into the linux filesystem (%localappdata%/lxss/...), but they recommend strongly against using windows tools to edit linux files (ref: https://blogs.msdn.microsoft.com/commandline/2016/11/17/do-not-change-linux-files-using-windows-apps-and-tools/), so whenever I need to tweak something, I must jump into WSL. (If nothing else, this might be the preferred compromise, but ...)

I can always maintain two distinct directories (each local to own system), but I'd prefer to share them. Bigger picture, though, is how to modify the windows security permissions in order to mimic enough linux filesystem properties such that WSL sees our end-desired permissions.

The current permissions on the WIN/.../.ssh/config files are: SYSTEM, me, and Administrators all have full-control. When I want to change SYSTEM, it warns me about inheriting permissions and such. I know that windows dir/file permissions are different in many ways, but ultimate ...

Q: is there an easy security posture for windows files/dirs such that WSL sees them as user-only (owner) access? (analogous to a umask of 0077). More generically, is there a a recipe for mapping at least some similarity between the ugo unix-y assignments and Windows file security?

r2evans

Posted 2017-12-10T21:22:41.100

Reputation: 324

chmod in bash and attrib in command prompt. – Biswapriyo – 2017-12-11T07:57:17.910

chmod -x somefile within WSL on a windows-drive file does not work, and even complains. Are you able to get different results on your computer, @Biswa? There is no combination of the eight attributes within attrib that produce something other than rwxrwxrwx or r-xr-xr-x on a WSL file, or modify unix-like perms on files on the win-drive. – r2evans – 2018-01-03T00:19:35.033

Answers

This part of WSL is much better in the latest insider builds (i.e., the next Windows 10 release). Since build 17063 WSL stores the Linux metadata, so chmod etc. on shared files "just works" without changing the ACLs on the Windows side. I'm now mounting my home directory from my user profile just as you suggest you'd like to, and SSH works fine.

Here's my setup:

$ cat /etc/wsl.conf
[automount]
enabled=true
options=metadata,uid=1000,gid=1000,umask=022
$ mount | grep /mnt
C: on /mnt/c type drvfs (rw,noatime,uid=1000,gid=1000,umask=22,metadata)
$ echo $HOME
/mnt/c/Users/me
$ ls -ld /home
lrwxrwxrwx 1 root root 11 Jan 11 16:15 /home -> mnt/c/Users
$ ls -ld ~/.ssh
drwxr-xr-x 1 me me 4096 Feb 27 11:44 /mnt/c/Users/me/.ssh
$ ls -ld ~/.ssh/authorized_keys
-rw-r--r-- 1 me me 745 Feb 27 11:44 /mnt/c/Users/me/.ssh/authorized_keys
$ ls -ld ~/.ssh/config
lrwxrwxrwx 1 me me 29 Oct  6 14:14 /mnt/c/Users/me/.ssh/config -> ../share/dotfiles/.ssh/config
$ ls -l ~/share/dotfiles/.ssh/config
-rwxr-xr-x 1 me me 741 Feb 26 21:23 /mnt/c/Users/me/share/dotfiles/.ssh/config

ab.

Posted 2017-12-10T21:22:41.100

Reputation: 456

That's somewhat reassuring, even if I don't have that build yet (insider?). Something to look forward to. Thanks! (I'll hold off on accepting this until I play with it in person (in March, I think). – r2evans – 2018-02-16T04:42:15.533

Yes, you can get it in a current insider build, or wait for the next release. – ab. – 2018-02-16T17:43:20.870

Hey @ab., can you clarify exactly what you did? I'm on Insiders but I just can't get SSH permissions to work. I'm only trying to symlink the files though, not mounting the whole home directory. Still, can you give instructions on what you did? – rfgamaral – 2018-03-10T20:27:43.017

@RicardoAmaral I think they key points are make sure you have the "metadata" option enabled on the drvfs mountpoint (/etc/wsl.conf can help with that), either symlink /home or change passwd so ~ is on /mnt/c, and then symlinks and permissions stick as you'd expect. – ab. – 2018-03-12T03:27:28.107

1Cant find /etc/wsl.conf on my WSL. – Basil A – 2018-05-19T10:17:25.640

See https://docs.microsoft.com/en-us/windows/wsl/wsl-config#set-wsl-launch-settings -- you'll just need to create it.

– ab. – 2018-05-23T23:20:43.700

Win10 1803 supports this, thanks for the pointer. Now if I can just get KeeAgent to work with WSL ssh (without a helper program like socat or msysgit2unix-socket.py).

– r2evans – 2018-06-04T05:55:10.167