Can we disable o+w on the mount from wsl.conf?

[ssbarnea]

One major problem that we have with using WSL is that we have some software (Ansible at least) that refuses to load config files that are insecure (world-writable), that being a security measure and not a bug. I even recently added a fail-fast check on my test suite to prevent running if the filesystem has this problem as we wasted too much time trying to debug why some tests were failing.

If you do a ls -la /mnt/c your discover that it lists o+w on all files and running chmod o-w does not remove the dangerous flag.

Now, we are forced to basically we are forced to copy the source-code to a safe-drive and reset the file permissions, especially as the actions/checkout is not able to perform a checkout outside its hardcoded GITHUB_WORKSPACE.

I seen that you do write a wsl.conf file, and there is some documentation about file permissions on https://docs.microsoft.com/en-us/windows/wsl/file-permissions but I am still not sure which settings we need to drop into it to make it avoid exposing the "o+w".

Update

Based on https://github.com/MicrosoftDocs/WSL/blob/main/WSL/wsl-config.md i would believe that we need to add "options umask=007,metadata=enabled,case=force". I am going to test this manually on my machine to see which combination is the right one.

I will likely answer my own question soon but raised it here so others can find it.

[Vampire]

Maybe the requestor of the wsl.conf feature had similar requirements.
You can find his feature request at #7, maybe the settings he demonstrated are what you need?

[ssbarnea]

Already got it working. I am going to post the answer in few minutes, still waiting for the CI to finish.

[ssbarnea]

Sorted via:

# /etc/wsl.conf
[automount]
enabled = true
root = /
options = "metadata,umask=077"
[interop]
enabled = false
appendWindowsPath = false

Mode details at https://github.com/ansible/devtools/wiki/permissions