WSL 的檔案權限File Permissions for WSL

此頁面將詳細說明如何在 Windows 子系統 Linux 版上轉譯 Linux 檔案權限,特別是當您在 NT 檔案系統上存取 Windows 內的資源時。This page details how Linux file permissions are interpreted across the Windows Subsystem for Linux, especially when accessing resources inside of Windows on the NT file system. 本文件假設您對 Linux 檔案系統權限結構umask 命令有基本了解。This documentation assumes a basic understanding of the Linux file system permissions structure and the umask command.

從 WSL 存取 Windows 檔案時,檔案權限會從 Windows 權限中計算,或從已由 WSL 新增至檔案的中繼資料中讀取。When accessing Windows files from WSL the file permissions are either calculated from Windows permissions, or are read from metadata that has been added to the file by WSL. 此中繼資料不會預設為啟用。This metadata is not enabled by default.

Windows 檔案上的 WSL 中繼資料WSL metadata on Windows files

在 WSL 中啟用中繼資料作為掛接選項時,即可新增並解譯 Windows NT 檔案上的擴充屬性,進而提供 Linux 檔案系統權限。When metadata is enabled as a mount option in WSL, extended attributes on Windows NT files can be added and interpreted to supply Linux file system permissions.

WSL 可以新增四個 NTFS 擴充屬性:WSL can add four NTFS extended attributes:

屬性名稱Attribute Name 說明Description
$LXUID$LXUID 使用者的擁有者識別碼User Owner ID
$LXGID$LXGID 群組的擁有者識別碼Group Owner ID
$LXMOD$LXMOD 檔案模式 (檔案系統權限八進位表示法和類型,例如:0777)File mode (File systems permission octals and type, e.g: 0777)
$LXDEV$LXDEV 裝置 (如果是裝置檔案)Device, if it is a device file

此外,不是一般檔案或目錄的任何檔案 (例如:符號連結、FIFO、封鎖裝置、unix 通訊端和字元裝置) 也會有 NTFS 重新分析點Additionally, any file that is not a regular file or directory (e.g: symlinks, FIFOs, block devices, unix sockets, and character devices) also have an NTFS reparse point. 這可讓您更快速地判斷指定目錄中的檔案類型,而不需要查詢其擴充屬性。This makes it much faster to determine the kind of file in a given directory without having to query its extended attributes.

檔案存取案例File Access Scenarios

以下說明使用 Windows 子系統 Linux 版時,如何決定各種檔案存取方式的權限。Below is a description of how permissions are determined when accessing files in different ways using the Windows Subsystem for Linux.

從 Linux 存取 Windows 磁碟機檔案系統 (DrvFS) 中的檔案Accessing Files in the Windows drive file system (DrvFS) from Linux

當您從 WSL 存取 Windows 檔案時,很可能會發生這些情況 (通常是透過 /mnt/c)。These scenarios occur when you are accessing your Windows files from WSL, most likely via /mnt/c.

從現有的 Windows 檔案讀取檔案權限Reading file permissions from an existing Windows file

此結果取決於檔案是否已有現有的中繼資料。The result depends on if the file already has existing metadata.

DrvFS 檔案沒有中繼資料 (預設值)DrvFS file does not have metadata (default)

如果檔案沒有相關聯的中繼資料,我們會將 Windows 使用者的有效權限轉譯為讀取/寫入/執行位元,並將其設定為與「使用者」、「群組」和「其他」相同的值。If the file has no metadata associated with it then we translate the effective permissions of the Windows user to read/write/execute bits and set them to the this as the same value for user, group, and other. 例如,如果您的 Windows 使用者帳戶具有讀取和執行存取權,但不具有檔案的寫入存取權,則這會在「使用者」、「群組」和「其他」中顯示為 r-xFor example, if your Windows user account has read and execute access but not write access to the file then this will be shown as r-x for user, group and other. 如果檔案在 Windows 中設定了「唯讀」屬性,則我們不會在 Linux 中授與寫入存取權。If the file has the 'Read Only' attribute set in Windows then we do not grant write access in Linux.

檔案具有中繼資料The file has metadata

如果檔案有中繼資料,我們會直接使用這些中繼資料值,而不會轉譯 Windows 使用者的有效權限。If the file has metadata present, we simply use those metadata values instead of translating effective permissions of the Windows user.

使用 chmod 變更現有 Windows 檔案的權限Changing file permissions on an existing Windows file using chmod

此結果取決於檔案是否已有現有的中繼資料。The result depends on if the file already has existing metadata.

Chmod 檔案沒有中繼資料 (預設值)chmod file does not have metadata (default)

Chmod 只會有一個效果,如果您移除檔案的所有寫入屬性,則 Windows 檔案上將會設定「唯讀」屬性,因為此行為與 Linux 中屬於 SMB (伺服器訊息區) 用戶端的 CIFS (一般網際網路檔案系統) 相同。Chmod will only have one effect, if you remove all the write attributes of a file then the 'read only' attribute on the Windows file will be set, since this is the same behaviour as CIFS (Common Internet File System) which is the SMB (Server Message Block) client in Linux.

Chmod 檔案具有中繼資料chmod file has metadata

Chmod 會根據檔案的現有中繼資料來變更或新增中繼資料。Chmod will change or add metadata depending on the file's already existing metadata.

請記住,您提供給自己的存取權不能比您在 Windows 上擁有的存取權多,即使中繼資料顯示您有權限也一樣。Please keep in mind that you cannot give yourself more access than what you have on Windows, even if the metadata says that is the case. 例如,您可以使用 chmod 777,將中繼資料設定為顯示您有檔案的寫入權限,但如果您嘗試存取該檔案,您仍然無法寫入該檔案。For example, you could set the metadata to display that you have write permissions to a file using chmod 777, but if you tried to access that file you would still not be able to write to it. 這是因為互通性的關係,因為 Windows 檔案的任何讀取或寫入命令都是透過您的 Windows 使用者權限來路由。This is thanks to interopability, as any read or write commands to Windows files are routed through your Windows user permissions.

在 DriveFS 中建立檔案Creating a file in DriveFS

此結果取決於是否已啟用中繼資料。The result depends on if metadata is enabled.

未啟用中繼資料 (預設值)Metadata is not enabled (default)

新建檔案的 Windows 權限會與您在 Windows 中建立檔案時一樣 (如果沒有特定的安全描述項),並且會繼承父系的權限。The Windows permissions of the newly created file will be the same as if you created the file in Windows without a specific security descriptor, it will inherit the parent's permissions.

中繼資料已啟用Metadata is enabled

檔案的權限位元會設定為遵循 Linux umask,而且檔案會與中繼資料一起儲存。The file's permission bits are set to follow the Linux umask, and the file will be saved with metadata.

哪些 Linux 使用者和 Linux 群組擁有該檔案?Which Linux user and Linux group owns the file?

此結果取決於檔案是否已有現有的中繼資料。The result depends on if the file already has existing metadata.

使用者檔案沒有中繼資料 (預設值)User file does not have metadata (default)

在預設案例中,自動掛接 Windows 磁碟機時,我們會指定將任何檔案的使用者識別碼 (UID) 設定為 WSL 使用者的使用者識別碼,而群組識別碼 (GID) 會設定為 WSL 使用者的主要群組識別碼。In the default scenario, when automounting Windows drives, we specify that the user ID (UID) for any file is set to the user ID of your WSL user and the group ID (GID) is set to the principal group ID of your WSL user.

使用者檔案具有中繼資料User file has metadata

中繼資料中指定的 UID 和 GID 會套用為檔案的使用者擁有者和群組擁有者。The UID and GID specified in the metadata is applied as the user owner and group owner of the file.

使用 \\wsl$ 從 Windows 存取 Linux 檔案Accessing Linux files from Windows using \\wsl$

透過 \\wsl$ 存取 Linux 檔案將會使用 WSL 發行版本的預設使用者。Accessing Linux files via \\wsl$ will use the default user of your WSL distribution. 因此,存取 Linux 檔案的任何 Windows 應用程式都會擁有與預設使用者相同的權限。Therefore any Windows app accessing Linux files will have the same permissions as the default user.

建立新檔案Creating a new file

從 Windows 的 WSL 發行版本內建立新檔案時,會套用預設的 umask。The default umask is applied when creating a new file inside of a WSL distribution from Windows. 預設的 umask 為 022,換句話說,其會允許除了「群組」和「其他」寫入權限以外的所有權限。The default umask is 022, or in other words it allows all permissions except write permissions to groups and others.

從 Linux 存取 Linux 根檔案系統中的檔案Accessing files in the Linux root file system from Linux

在 Linux 根檔案系統中建立、修改或存取的任何檔案,都會遵循標準的 Linux 慣例,例如將 umask 套用至新建立的檔案。Any files created, modified, or accessed in the Linux root file system follow standard Linux conventions, such as applying the umask to a newly created file.

設定檔案權限Configuring file permissions

您可以使用 wsl.conf 中的掛接選項,在 Windows 磁碟機內設定您的檔案權限。You can configure your file permissions inside of your Windows drives using the mount options in wsl.conf. 掛接選項可讓您設定 umaskdmaskfmask 權限遮罩。The mount options allow you to set umask, dmask and fmask permissions masks. umask 會套用至所有檔案、dmask 只會套用至目錄,而 fmask 只會套用至檔案。The umask is applied to all files, the dmask is applied just to directories and the fmask is applied just to files. 然後,這些權限遮罩會在套用至檔案時完成邏輯 OR 作業,例如:如果您的 umask 值為 023,而 fmask 值為 022,則產生的檔案權限遮罩為 023These permission masks are then put through a logical OR operation when being applied to files, e.g: If you have a umask value of 023 and an fmask value of 022 then the resulting permissions mask for files will be 023.

如需如何執行這項操作的指示,請參閱使用 wslconf 設定每一散發版本的啟動設定一文。Please see the Configure per distro launch settings with wslconf article for instructions on how to do this.