Why default WSL2 installation ignoring Linux permissions in filesystem?

[marcinpraczko]

This is really frustrated that default configuration in WSL ignoring linux permissions and everything become -rwxrwxrwx. Which connecting with docker build make all files with wrong permissions inside docker (huge risk from security point of view).
It took me a lot of time to understand that /etc/wsl.conf needs be modified with metadata to allow have proper linux permissions. Why this is not default? Goal of WSL is running Linux subsystem and file permissions are one the most important configuration when working with linux?

Any plans to make this enabled by default?

[junaiddeveloper786]

@marcinpraczko

💡 Why WSL2 Ignores Linux Permissions by Default (and What to Do About It)

You’re absolutely right — file permissions are a core part of Linux, and when working with Docker or development workflows, having everything default to -rwxrwxrwx is both insecure and frustrating.

⚙️ Why This Happens by Default

By default, WSL mounts the Windows filesystem (NTFS) under /mnt/c, /mnt/d, etc.

NTFS doesn’t store traditional Linux permissions (UID, GID, chmod bits). To avoid breaking compatibility, WSL just exposes files as full-access (777) so both Windows and Linux tools can use them.

The assumption was: most WSL users interact with their Windows files, not pure Linux development, so Microsoft chose usability over strict POSIX correctness.

🛠️ How to Enable Real Permissions

As you discovered, you can enable metadata support by configuring /etc/wsl.conf:
[automount]
options = "metadata"

Then restart WSL with:
wsl --shutdown
wsl

Now, Linux-style permissions (chmod, chown, etc.) will persist on NTFS-mounted files.

🔒 Why It’s Not Default (Yet)

Compatibility & Stability: Many Windows apps break if strict permissions are applied (e.g., editors not able to write files).

Performance: Metadata emulation introduces overhead compared to the simple “everything is writable” mode.

User Base: A large portion of WSL users are beginners who might find strict permissions confusing.

📌 Current Status & Future Plans

There’s no official confirmation from Microsoft about making metadata the default.

However, advanced users are encouraged to enable it manually via wsl.conf.

For projects requiring strict permissions (like Docker builds), it’s considered a best practice to enable metadata from the start.

✅ In short:
WSL defaults to ignoring Linux permissions for compatibility and ease of use on Windows filesystems. If you need real Linux-like behavior, enable metadata in /etc/wsl.conf. While it’s unlikely to become the default soon (to avoid breaking users’ setups), it’s the recommended way for developers concerned with security and Docker workflows.

[marcinpraczko]

Thank you for this reply. I do understand that Microsoft is having its own goals and policies. However removing files permissions by default I am finding not right at all. Probably I do not have full picture how people are working and many of them are just running commands, however from my point of view this leads to very bad practice for all files created within WSL (tar, tar.gz, docker, podman, rsync over SSH). All of this by default increases risk related with wrong permissions.

Not sure how - however I think is more to add some welcome message for distros (/etc/issue) - or alternative which will display the most important links during starting WSL instance.

For example when one starts day and run (Ubuntu 24.04 in WSL) - one should see some major details and links to documentation how to make this work as expected.
Just suggestion.

One more time - thank you fro reply.