Join Log in
Score:3
Ommm avatar Ubuntu

Is it too easy to access root in Ubuntu on WSL?

de flag
Ommm

I forgot my Ubuntu user's password in WSL, but I was able to reset it by:

  • Opening a CMD shell
  • wsl -u root, then (inside Ubuntu), passwd my_username

I was able to change my password without providing my old password. It worked, but isn't this a vulnerability in terms of security? I am actually new in Linux/Unix, so this question came to mind ...

4593
1 + 0
Score:6
NotTheDr01ds avatar Ubuntu
vn flag
NotTheDr01ds

It's a good question -- Regardless of how new or experienced you are, assessing the security of your system is a valuable exercise, IMHO.

I've personally thought many times about this (and slightly different forms of this) particular question myself, but I haven't yet found a clear attack vector for which this capability could be exploited.

There are several things to keep in mind here:

  • Your WSL instance runs with your Windows user's permissions.

    Even when you are running as root inside Ubuntu, you cannot make changes to any file in Windows that your normal Windows user wouldn't be able to. For instance:

    • You can delete or modify files in /mnt/c/<your_Windows_user>/Documents through WSL (as either root or your normal user)
    • You cannot modify system files or executables like /mnt/c/Windows/gdi32.dll, since you wouldn't be able to do that even through File Explorer unless you ran in an Administrative session (don't do that!).

    Again, this is no different than what your normal Windows user can (and can't) do already.

  • Your Windows user has complete control over Ubuntu in WSL (and any other distribution).

    This is similar to how things would work with a VM or any container technology. Since you are the Windows user who is running WSL, you already have the ability to:

    • Install a new Ubuntu instance in WSL, set a username, etc.
    • Delete the Ubuntu instance via the wsl --unregister command (don't do this!)
    • Have complete access to the virtual drive (.vhdx), could copy it to another machine, examine it, modify it, etc.
    • And, as you've discovered, change the password for a user by running as root (with no password needed).

    Because you are the Windows user who is running WSL, you already can do anything you want with it. There's simply no reason for WSL to require you to "log in" with a password to Ubuntu.

    There are other similar scenarios that exist even within "pure Ubuntu" -- Running a Docker or Podman (or other) container gives you complete control over that container. You can create users inside that container, create or delete files, etc. You don't need a password when you start an Ubuntu Docker container as root inside Docker (et. al.); just like you don't need a password when you start Ubuntu as root on WSL.

The reality is that, if an attacker gains enough access to your system to run arbitrary code as your Windows user, they've already "won", regardless of whether or not they get access to Ubuntu running inside it. Forcing you to use a password to "login" to Ubuntu in WSL (whether as root or another user) wouldn't add any additional defenses in this scenario.

+ 4
user535733 avatar
cn flag
user535733
+1 An excellent answer.
0
Reply
Cagri avatar
cn flag
Cagri
also, you can use disk encryption, if you're worried about this happening. don't think it would work with WSL, but same "attack" can be used on windows too, if you have access to the disk, your password can be reset and all files can be read. unless, there's disk **encryption**. then you must have the password
0
Reply
me flag
pabouk
There is another problem: WSL is vulnerable to code running inside WSL! By default you can run `wsl.exe -u root` from within WSL.
0
Reply
NotTheDr01ds avatar
vn flag
NotTheDr01ds
@pabouk-Ukrainestaystrong Right - When I say that I've thought about *"slightly different forms of this particular question"*, that's one of the scenarios to which I'm referring. Yes, you can run `wsl.exe -u root` from inside WSL to elevate privileges, but how does that change the attack vector? If the attacker has access to the Host, they have access to the Client, but not necessarily vice-versa. Running as `root` in WSL still does not elevate *Windows* privileges.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.