How do I restrict drive access from Windows Subsystem for Linux WSL with Ubuntu

Question

I would like to set up WSL (Ubuntu) in such a way that the root user in WSL doesn't have access to all the drives in windows. Ideally they're able to do everything within the linux world, but aren't able to mount the c: or any other drives. They should, of course, have access to the linux root folder and everyhing else therein (wherever that is mounted in windows).

WSL by default mounts all drives on /mnt/c etc.. at startup. I can of course create a task to unmount these. But I don't think that's enough since root can mount them again of course. So it seems this would have to be some sort of windows solution. I create a restricted account in ubuntu or put user in chroot jail, but that's not what I am looking for.

Answer 1

Completely turning off the ability for root to get access to the Windows drives might be a bit tough. WSL really is designed for Windows/Linux interop.

The mechanism for disabling automounting and interop is through the /etc/wsl.conf file, but, of course someone with root access to the WSL instance can still edit that and undo your changes. That said, I'd definitely start with a /etc/wsl.conf that includes:

[automount]
enabled=false
[interop]
enabled=false
appendWindowsPath=false

Disabling interop will be important for preventing a root user from calling the wsl.exe command from inside WSL. That at least prevents the root user from being able "restart" the WSL instance.

However, even with automounting turned off, if I recall correctly, the Windows drives can still be manually mounted since that functionality is provided by the WSL /init.

Ultimately I do believe you'll have to create a chroot jail. However, you can launch WSL directly into this jail with something like:

wsl -u root -e sh -c "cd /newroot; exec /usr/sbin/chroot /newroot/" su - username

... and the user shouldn't be able to escape it. It's been a while since I tried it out, but I had it working for this answer for a different purpose. Note that that particular answer also has the chroot setup instructions.