WSL mounted file permissions
In my testing of WSL as a possible replacement for the git-for-windows bash and quasi-unix work environment, I have set up a symlink within WSL for my /home/me/.ssh/
directory to the corresponding /mnt/c/users/me/.ssh/
direcory. Not too surprisingly (since ssh
is strict on dir/file permissions), this does not work:
me@d2book:~$ ssh myth
Bad owner or permissions on /home/me/.ssh/config
me@d2book:~$ ll -d .ssh .ssh/config
lrwxrwxrwx 1 me me 20 Oct 16 13:12 .ssh -> /mnt/c/Users/me/.ssh/
-rwxrwxrwx 1 root root 6335 Dec 5 07:47 .ssh/config*
I might create the files in linux and then find a way to link from windows into the linux filesystem (%localappdata%/lxss/...
), but they recommend strongly against using windows tools to edit linux files (ref: https://blogs.msdn.microsoft.com/commandline/2016/11/17/do-not-change-linux-files-using-windows-apps-and-tools/), so whenever I need to tweak something, I must jump into WSL. (If nothing else, this might be the preferred compromise, but ...)
I can always maintain two distinct directories (each local to own system), but I'd prefer to share them. Bigger picture, though, is how to modify the windows security permissions in order to mimic enough linux filesystem properties such that WSL sees our end-desired permissions.
The current permissions on the WIN/.../.ssh/config
files are: SYSTEM, me, and Administrators all have full-control. When I want to change SYSTEM, it warns me about inheriting permissions and such. I know that windows dir/file permissions are different in many ways, but ultimate ...
Q: is there an easy security posture for windows files/dirs such that WSL sees them as user-only (owner) access? (analogous to a umask of 0077
). More generically, is there a a recipe for mapping at least some similarity between the ugo
unix-y assignments and Windows file security?
Solution 1:
This part of WSL is much better in the latest insider builds (i.e., the next Windows 10 release). Since build 17063 WSL stores the Linux metadata, so chmod etc. on shared files "just works" without changing the ACLs on the Windows side. I'm now mounting my home directory from my user profile just as you suggest you'd like to, and SSH works fine.
Here's my setup:
$ cat /etc/wsl.conf
[automount]
enabled=true
options=metadata,uid=1000,gid=1000,umask=022
$ mount | grep /mnt
C: on /mnt/c type drvfs (rw,noatime,uid=1000,gid=1000,umask=22,metadata)
$ echo $HOME
/mnt/c/Users/me
$ ls -ld /home
lrwxrwxrwx 1 root root 11 Jan 11 16:15 /home -> mnt/c/Users
$ ls -ld ~/.ssh
drwxr-xr-x 1 me me 4096 Feb 27 11:44 /mnt/c/Users/me/.ssh
$ ls -ld ~/.ssh/authorized_keys
-rw-r--r-- 1 me me 745 Feb 27 11:44 /mnt/c/Users/me/.ssh/authorized_keys
$ ls -ld ~/.ssh/config
lrwxrwxrwx 1 me me 29 Oct 6 14:14 /mnt/c/Users/me/.ssh/config -> ../share/dotfiles/.ssh/config
$ ls -l ~/share/dotfiles/.ssh/config
-rwxr-xr-x 1 me me 741 Feb 26 21:23 /mnt/c/Users/me/share/dotfiles/.ssh/config