yuk7
commented
3 years ago WSL instances are containers and cannot use PAM etc. You can replace, rename, and hide files in the shell, but you can't prevent the root itself from running.
Open nycoe opened 3 years ago
yuk7
commented
3 years ago WSL instances are containers and cannot use PAM etc. You can replace, rename, and hide files in the shell, but you can't prevent the root itself from running.
Hi,
Thank you for making CentOS available on WSL It is working great and fits well in my environment. I'm running the latest version 7 converted to WSL2 in Windows 10.
I had one question that I've not been able to resolve. I need to setup WSL on behalf of various users and it needs to be locked down such that a non-root user is all they're able to run under wsl.
I've created two users: admin and regular I've given sudo access to admin account. This is working fine I've set the default user to "regular" in /etc/wsl.conf When windows user runs wsl they now get "regular" which is a good start, But they can also run wsl.exe -u root so to counter that, I've set /sbin/nologin as the root shell. This works to stop wsl.exe -u root but it doesn't stop wsl.exe -u root -e bash
So here's where I'm stuck. I can't find information on how wsl gets a shell. I see that when I'm in as root using wsl -u root -e bash that my process tree shows that init is the parent of bash, and I just get a standard pty/X as my TTY.
I tried to setup pam_securetty to prohibit access to root from anything but devices listed in an empty /etc/securetty but this didn't work, I'm still able to get a shell. I also tried pam_listfile to deny based on list of users in a file, but no luck with that either. I've tried both of the pam modules in every single pam.d setup file as using the standard login/password-auth/system-auth files did not do the trick, and I didn't know exactly which PAM config it would use. At this point, I think that whatever WSL is using to get a shell is not PAM aware at all. Does anyone know?
So the end result should be: default user is 'regular' and that's what the user will run, this user has no password, and is not a sudoer. admin account is a sudoer, and has a password that the Windows user will not know. Only certain admins will know the password. While the regular windows user can also run wsl -u admin they won't be able to sudo as sudo will prompt them for the admin user's password. Nobody should be able to run wsl.exe -u root -e bash
Thank you in advance