It's a good question -- Regardless of how new or experienced you are, assessing the security of your system is a valuable exercise, IMHO.
I've personally thought many times about this (and slightly different forms of this) particular question myself, but I haven't yet found a clear attack vector for which this capability could be exploited.
There are several things to keep in mind here:
Your WSL instance runs with your Windows user's permissions.
Even when you are running as root
inside Ubuntu, you cannot make changes to any file in Windows that your normal Windows user wouldn't be able to. For instance:
- You can delete or modify files in
/mnt/c/<your_Windows_user>/Documents
through WSL (as either root
or your normal user)
- You cannot modify system files or executables like
/mnt/c/Windows/gdi32.dll
, since you wouldn't be able to do that even through File Explorer unless you ran in an Administrative session (don't do that!).
Again, this is no different than what your normal Windows user can (and can't) do already.
Your Windows user has complete control over Ubuntu in WSL (and any other distribution).
This is similar to how things would work with a VM or any container technology. Since you are the Windows user who is running WSL, you already have the ability to:
- Install a new Ubuntu instance in WSL, set a username, etc.
- Delete the Ubuntu instance via the
wsl --unregister
command (don't do this!)
- Have complete access to the virtual drive (
.vhdx
), could copy it to another machine, examine it, modify it, etc.
- And, as you've discovered, change the password for a user by running as
root
(with no password needed).
Because you are the Windows user who is running WSL, you already can do anything you want with it. There's simply no reason for WSL to require you to "log in" with a password to Ubuntu.
There are other similar scenarios that exist even within "pure Ubuntu" -- Running a Docker or Podman (or other) container gives you complete control over that container. You can create users inside that container, create or delete files, etc. You don't need a password when you start an Ubuntu Docker container as root
inside Docker (et. al.); just like you don't need a password when you start Ubuntu as root
on WSL.
The reality is that, if an attacker gains enough access to your system to run arbitrary code as your Windows user, they've already "won", regardless of whether or not they get access to Ubuntu running inside it. Forcing you to use a password to "login" to Ubuntu in WSL (whether as root
or another user) wouldn't add any additional defenses in this scenario.
wsl.exe -u root
from within WSL. – pabouk - Ukraine stay strong Dec 07 '22 at 08:41wsl.exe -u root
from inside WSL to elevate privileges, but how does that change the attack vector? If the attacker has access to the Host, they have access to the Client, but not necessarily vice-versa. Running asroot
in WSL still does not elevate Windows privileges. – NotTheDr01ds Dec 11 '22 at 00:49