WSL 的文件权限File Permissions for WSL

本页详细说明了 Linux 文件权限在适用于 Linux 的 Windows 子系统上是如何解释的,尤其是在访问 NT 文件系统上 Windows 内部的资源时。This page details how Linux file permissions are interpreted across the Windows Subsystem for Linux, especially when accessing resources inside of Windows on the NT file system. 本文档假定读者基本了解 Linux 文件系统权限结构umask 命令This documentation assumes a basic understanding of the Linux file system permissions structure and the umask command.

从 WSL 访问 Windows 文件时,文件权限是根据 Windows 权限计算的,或者是从已由 WSL 添加到文件的元数据中读取的。When accessing Windows files from WSL the file permissions are either calculated from Windows permissions, or are read from metadata that has been added to the file by WSL. 默认情况下,此元数据处于未启用状态。This metadata is not enabled by default.

Windows 文件上的 WSL 元数据WSL metadata on Windows files

如果在 WSL 中以装载选项的形式启用了元数据,则可以在 Windows NT 文件上添加扩展属性并对其进行解释,从而提供 Linux 文件系统权限。When metadata is enabled as a mount option in WSL, extended attributes on Windows NT files can be added and interpreted to supply Linux file system permissions.

WSL 可以添加四个 NTFS 扩展属性:WSL can add four NTFS extended attributes:

属性名称Attribute Name 说明Description
$LXUID$LXUID 用户所有者 IDUser Owner ID
$LXGID$LXGID 组所有者 IDGroup Owner ID
$LXMOD$LXMOD 文件模式(文件系统权限八进制数字和类型,例如:0777)File mode (File systems permission octals and type, e.g: 0777)
$LXDEV$LXDEV 设备(如果它是设备文件)Device, if it is a device file

此外,任何并非常规文件或目录的文件(例如:符号链接、FIFO、块设备、unix 套接字和字符设备)也有 NTFS 重新分析点Additionally, any file that is not a regular file or directory (e.g: symlinks, FIFOs, block devices, unix sockets, and character devices) also have an NTFS reparse point. 这样一来,就能够以快得多的速度确定给定目录中的文件类型,而不必查询其扩展属性。This makes it much faster to determine the kind of file in a given directory without having to query its extended attributes.

文件访问方案File Access Scenarios

下面介绍了在使用适用于 Linux 的 Windows 子系统以不同的方式访问文件时,权限是如何确定的。Below is a description of how permissions are determined when accessing files in different ways using the Windows Subsystem for Linux.

从 Linux 访问 Windows 驱动器文件系统 (DrvFS) 中的文件Accessing Files in the Windows drive file system (DrvFS) from Linux

在从 WSL 访问 Windows 文件(最有可能是通过 /mnt/c)时,会出现这些情况。These scenarios occur when you are accessing your Windows files from WSL, most likely via /mnt/c.

从现有 Windows 文件读取文件权限Reading file permissions from an existing Windows file

结果取决于文件是否已具有现有元数据。The result depends on if the file already has existing metadata.

DrvFS 文件没有元数据(默认)DrvFS file does not have metadata (default)

如果文件没有关联的元数据,则我们会将 Windows 用户的有效权限转换为读取/写入/执行位,并将其设置为对用户、组和其他用户而言相同的值。If the file has no metadata associated with it then we translate the effective permissions of the Windows user to read/write/execute bits and set them to the this as the same value for user, group, and other. 例如,如果你的 Windows 用户帐户具有对该文件的读取和执行访问权限,但不具有对该文件的写入访问权限,则该帐户将对用户、组和其他对象显示为 r-xFor example, if your Windows user account has read and execute access but not write access to the file then this will be shown as r-x for user, group and other. 如果该文件在 Windows 中设有“只读”属性,则我们不会在 Linux 中授予写入权限。If the file has the 'Read Only' attribute set in Windows then we do not grant write access in Linux.

文件有元数据The file has metadata

如果文件的元数据存在,则只需使用这些元数据值,而不是转换 Windows 用户的有效权限。If the file has metadata present, we simply use those metadata values instead of translating effective permissions of the Windows user.

使用 chmod 更改现有 Windows 文件的文件权限Changing file permissions on an existing Windows file using chmod

结果取决于文件是否已具有现有元数据。The result depends on if the file already has existing metadata.

chmod 文件没有元数据(默认)chmod file does not have metadata (default)

Chmod 只有一种效果,如果删除文件的所有写入属性,则会设置 Windows 文件上的“只读”属性,因为这是与 CIFS(通用 Internet 文件系统)相同的行为。CIFS 是 Linux 中的 SMB(服务器消息块)客户端。Chmod will only have one effect, if you remove all the write attributes of a file then the 'read only' attribute on the Windows file will be set, since this is the same behaviour as CIFS (Common Internet File System) which is the SMB (Server Message Block) client in Linux.

chmod 文件有元数据chmod file has metadata

Chmod 将根据文件已有的现有元数据更改或添加元数据。Chmod will change or add metadata depending on the file's already existing metadata.

请记住,你为自己授予的访问权限不能多于你在 Windows 上具有的访问权限,即使元数据显示的情况与此相反,也是如此。Please keep in mind that you cannot give yourself more access than what you have on Windows, even if the metadata says that is the case. 例如,你可以使用 chmod 777 将元数据设置为显示你对文件具有写入权限,但如果你尝试访问该文件,则你仍无法写入到该文件。For example, you could set the metadata to display that you have write permissions to a file using chmod 777, but if you tried to access that file you would still not be able to write to it. 这是由于互操作性而导致的,因为对 Windows 文件的任何读取或写入命令均通过 Windows 用户权限进行路由。This is thanks to interopability, as any read or write commands to Windows files are routed through your Windows user permissions.

在 DriveFS 中创建文件Creating a file in DriveFS

结果取决于是否启用了元数据。The result depends on if metadata is enabled.

元数据未启用(默认)Metadata is not enabled (default)

新创建的文件的 Windows 权限将与你在未使用特定安全描述符的情况下在 Windows 中创建的文件相同,它将继承父级的权限。The Windows permissions of the newly created file will be the same as if you created the file in Windows without a specific security descriptor, it will inherit the parent's permissions.

元数据已启用Metadata is enabled

文件的权限位设置为遵循 Linux umask,文件将随元数据一起保存。The file's permission bits are set to follow the Linux umask, and the file will be saved with metadata.

哪个 Linux 用户和 Linux 组拥有该文件?Which Linux user and Linux group owns the file?

结果取决于文件是否已具有现有元数据。The result depends on if the file already has existing metadata.

用户文件没有元数据(默认)User file does not have metadata (default)

在默认情况下,当自动装载 Windows 驱动器时,我们指定任何文件的用户 ID (UID) 将设置为 WSL 用户的用户 ID,并且组 ID (GID) 将设置为 WSL 用户的主体组 ID。In the default scenario, when automounting Windows drives, we specify that the user ID (UID) for any file is set to the user ID of your WSL user and the group ID (GID) is set to the principal group ID of your WSL user.

用户文件有元数据User file has metadata

在元数据中指定的 UID 和 GID 将应用为该文件的用户所有者和组所有者。The UID and GID specified in the metadata is applied as the user owner and group owner of the file.

使用 \\wsl$ 从 Windows 访问 Linux 文件Accessing Linux files from Windows using \\wsl$

通过 \\wsl$ 访问 Linux 文件时将使用 WSL 分发版的默认用户。Accessing Linux files via \\wsl$ will use the default user of your WSL distribution. 因此,任何访问 Linux 文件的 Windows 应用都具有与默认用户相同的权限。Therefore any Windows app accessing Linux files will have the same permissions as the default user.

创建新文件Creating a new file

从 Windows 向 WSL 分发版内部创建新文件时,将应用默认 umask。The default umask is applied when creating a new file inside of a WSL distribution from Windows. 默认的 umask 是 022,也就是说,它允许除了组和其他用户的写入权限以外的所有权限。The default umask is 022, or in other words it allows all permissions except write permissions to groups and others.

从 Linux 访问 Linux 根文件系统中的文件Accessing files in the Linux root file system from Linux

在 Linux 根文件系统中创建、修改或访问的任何文件都遵循标准 Linux 约定,例如将 umask 应用到新创建的文件。Any files created, modified, or accessed in the Linux root file system follow standard Linux conventions, such as applying the umask to a newly created file.

配置文件权限Configuring file permissions

可以使用 wsl.conf 中的装载选项在 Windows 驱动器内配置文件权限。You can configure your file permissions inside of your Windows drives using the mount options in wsl.conf. 装载选项允许你设置 umaskdmaskfmask 权限掩码。The mount options allow you to set umask, dmask and fmask permissions masks. umask 应用于所有文件,dmask 只应用于目录,而 fmask 只应用于文件。The umask is applied to all files, the dmask is applied just to directories and the fmask is applied just to files. 这些权限掩码在应用到文件时会通过一个“逻辑或”操作进行计算,例如:如果 umask 值为 023 并且 fmask 值为 022,则为文件生成的权限掩码将为 023These permission masks are then put through a logical OR operation when being applied to files, e.g: If you have a umask value of 023 and an fmask value of 022 then the resulting permissions mask for files will be 023.

有关如何执行此操作的说明,请参阅使用 wslconf 配置按分发版启动设置一文。Please see the Configure per distro launch settings with wslconf article for instructions on how to do this.