File Permissions for WSL

This page details how Linux file permissions are interpreted across the Windows Subsystem for Linux, especially when accessing resources inside of Windows on the NT file system. This documentation assumes a basic understanding of the Linux file system permissions structure and the umask command.

When accessing Windows files from WSL the file permissions are either calculated from Windows permissions, or are read from metadata that has been added to the file by WSL. This metadata is not enabled by default.

WSL metadata on Windows files

When metadata is enabled as a mount option in WSL, extended attributes on Windows NT files can be added and interpreted to supply Linux file system permissions.

WSL can add four NTFS extended attributes:

Attribute Name	Description
$LXUID	User Owner ID
$LXGID	Group Owner ID
$LXMOD	File mode (File systems permission octals and type, e.g: 0777)
$LXDEV	Device, if it is a device file

Additionally, any file that is not a regular file or directory (e.g: symlinks, FIFOs, block devices, unix sockets, and character devices) also have an NTFS reparse point. This makes it much faster to determine the kind of file in a given directory without having to query its extended attributes.

File Access Scenarios

Below is a description of how permissions are determined when accessing files in different ways using the Windows Subsystem for Linux.

Accessing Files in the Windows drive file system (DrvFS) from Linux

These scenarios occur when you are accessing your Windows files from WSL, most likely via /mnt/c .

Reading file permissions from an existing Windows file

The result depends on if the file already has existing metadata.

DrvFS file does not have metadata (default)

If the file has no metadata associated with it then we translate the effective permissions of the Windows user to read/write/execute bits and set them to the this as the same value for user, group, and other. For example, if your Windows user account has read and execute access but not write access to the file then this will be shown as r-x for user, group and other. If the file has the ‘Read Only’ attribute set in Windows then we do not grant write access in Linux.

The file has metadata

If the file has metadata present, we simply use those metadata values instead of translating effective permissions of the Windows user.

Changing file permissions on an existing Windows file using chmod

The result depends on if the file already has existing metadata.

chmod file does not have metadata (default)

Chmod will only have one effect, if you remove all the write attributes of a file then the ‘read only’ attribute on the Windows file will be set, since this is the same behaviour as CIFS (Common Internet File System) which is the SMB (Server Message Block) client in Linux.

chmod file has metadata

Chmod will change or add metadata depending on the file’s already existing metadata.

Please keep in mind that you cannot give yourself more access than what you have on Windows, even if the metadata says that is the case. For example, you could set the metadata to display that you have write permissions to a file using chmod 777 , but if you tried to access that file you would still not be able to write to it. This is thanks to interopability, as any read or write commands to Windows files are routed through your Windows user permissions.

Creating a file in DriveFS

The result depends on if metadata is enabled.

Metadata is not enabled (default)

The Windows permissions of the newly created file will be the same as if you created the file in Windows without a specific security descriptor, it will inherit the parent’s permissions.

Metadata is enabled

The file’s permission bits are set to follow the Linux umask, and the file will be saved with metadata.

Which Linux user and Linux group owns the file?

The result depends on if the file already has existing metadata.

User file does not have metadata (default)

In the default scenario, when automounting Windows drives, we specify that the user ID (UID) for any file is set to the user ID of your WSL user and the group ID (GID) is set to the principal group ID of your WSL user.

User file has metadata

The UID and GID specified in the metadata is applied as the user owner and group owner of the file.

Accessing Linux files from Windows using \\wsl$

Accessing Linux files via \\wsl$ will use the default user of your WSL distribution. Therefore any Windows app accessing Linux files will have the same permissions as the default user.

Creating a new file

The default umask is applied when creating a new file inside of a WSL distribution from Windows. The default umask is 022 , or in other words it allows all permissions except write permissions to groups and others.

Accessing files in the Linux root file system from Linux

Any files created, modified, or accessed in the Linux root file system follow standard Linux conventions, such as applying the umask to a newly created file.

Configuring file permissions

You can configure your file permissions inside of your Windows drives using the mount options in wsl.conf. The mount options allow you to set umask , dmask and fmask permissions masks. The umask is applied to all files, the dmask is applied just to directories and the fmask is applied just to files. These permission masks are then put through a logical OR operation when being applied to files, e.g: If you have a umask value of 023 and an fmask value of 022 then the resulting permissions mask for files will be 023 .

Please see the Configure per distro launch settings with wslconf article for instructions on how to do this.

Change Windows 7 file permissions from command prompt

How can I change Windows 7 file permissions using the command prompt?

I want to change permissions in program files, but cacls is not working for me.

6 Answers 6

cacls is depcriated in Windows 7. You need to use ICACLS instead of cacls .

This command is granting the privileges.

To change permissions, use an administrator account on that machine to run CACLS . If you have UAC enabled, you may have to elevate the command prompt first by right-clicking on it and choosing «Run as Administrator».

You can use cacls as follows:

For example, to grant your user account full (F) control to files , you would use the following command (typed in an elevated Windows command prompt):

Read complete help by typing following command:

If, for any reason, files have become disassociated with the administrator account in Windows 7, using ICACLS will NOT restore them.

You are forced to manually click EACH file, one at a time, and select Properties > Security tab > Advanced button > Permissions tab > Continue button.

If enabled, approve UAC prompt for Permissions Editor for Files and Folders and Uncheck Include inheritible permissions from thsi object’s parent. Click the Remove button when prompted, then re-enable Include inheritible permissions, click OK.

This will restore your accesss to the file.

How can this be accomplished against an entire folder or set of files? Using ICACLS *.* /RESET does not work; it ends in error «Access is denied» for the files in question.

Give permissions to files and folders in Windows 10

Original title: REad only

Windows 10 has set all my files and folders to read only. I am not able to turn this off. Is there a trick to this as right clicking and unchecking read only I get you need admin rights message and it doesn’t work. This is causing some games and programs I have to not work correctly.

Replies (24) 

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

Thank you for posting in Microsoft Community. I understand your concern and I’ll be glad to assist you.

Please follow through.

In Windows Explorer, right-click the file or folder you want to work with.

From the pop-up menu, select Properties, and then in the Properties dialog box click the Security tab.

In the Name list box, select the user, contact, computer, or group whose permissions you want to view. If the permissions are dimmed, it means the permissions are inherited from a parent object.

Turn off UAC (User Account Control)

Before you can do anything, you must turn off the UAC, or you will be locked out of the following steps.

1) Start -> Settings -> Control Panel -> User Accounts
2) Click «Change User Account Control Settings»
3) Move slider all the way down to «Never Notify»
4) Reboot

2) Take Ownership

Yes take ownership. Even though you are logged on as an Administrator, you can’t change files that don’t belong to you. The Program Files folder is set to the Trusted Installer group and the Administrator doesn’t have the rights to change anything. So now we have to claim all the files and folders.

1) Open Windows Explorer
2) R-Click on Program Files -> Properties -> Security Tab
3) Click Advanced -> Owner
4) Click Edit
5) Select Administrators -> Put a checkmark in Replace owner on subcontainers & objects -> Apply
6) Wait a while.
7) When it finishes, Click OK on all boxes to close everything

3) Fix Permissions

Now that you own the files, you have to give yourself permission to modify them

1) R-Click on Program Files -> Properties -> Security Tab
2) Click Advanced -> Change Permission
3) Select Administrators (any entry) -> Edit
4) Change the Apply To drop down box to This Folder, Subfolder & Files
5) Put check in Full Control under Allow column -> OK -> Apply
6) Wait some more.
7) When it finishes, the dialog boxes may hide behind the Explorer window. Minimize it and click OK on all the the dialog boxes

Hope this post helps. Get back to us for further queries. We are happy to help.

Change access permissions in command prompt

Q. I’m logged in as a non-privileged user and would like to change file permissions. How do I do that without logging out?

A. 1. First you have to open the command prompt as a privileged user. That can be found under Start -> «All Programs» -> Accessories. Right-click on the «Command prompt» icon and select «Run-As«.

2. Once prompted, enter username and password.

3. On the command line, you can use a comman called CACLS. Here’s the full list of things that it can do:

Displays or modifies access control lists (ACLs) of files
CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [. ]]
[/P user:perm [. ]] [/D user [. ]]
filename Displays ACLs.
/T Changes ACLs of specified files in
the current directory and all subdirectories.
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G user:perm Grant specified user access rights.
Perm can be: R Read
W Write
C Change (write)
F Full control
/R user Revoke specified user’s access rights (only valid with /E).
/P user:perm Replace specified user’s access rights.
Perm can be: N None
R Read
W Write
C Change (write)
F Full control
/D user Deny specified user access.
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.

Abbreviations:
CI — Container Inherit.
The ACE will be inherited by directories.
OI — Object Inherit.
The ACE will be inherited by files.
IO — Inherit Only.
The ACE does not apply to the current file/directory.

So if you want to add permissions to a folder called «Shared«, located on C: drive for Everyone, do the following:

C:\cacls c:\Shared /e /p Everyone:f

Where /e is to preserve old permissions;
/p is to add new permissions;
Everyone is the user
f stands for Full Control (R Read, W Write, C Change (write), F Full control)

If you don’t include /e, the permissions assigned will be the only permissions on the file/directory.

How to grant permission to users for a directory using command line in Windows?

How can I grant permissions to a user on a directory (Read, Write, Modify) using the Windows command line?

17 Answers 17

As of Vista, cacls is deprecated. Here’s the first couple of help lines:

You should use icacls instead. This is how you grant John full control over D:\test folder and all its subfolders:

According do MS documentation:

• F = Full Control
• CI = Container Inherit — This flag indicates that subordinate containers will inherit this ACE.
• OI = Object Inherit — This flag indicates that subordinate files will inherit the ACE.
• /T = Apply recursively to existing files and sub-folders. ( OI and CI only apply to new files and sub-folders). Credit: comment by @AlexSpence.

For complete documentation, you may run » icacls » with no arguments or see the Microsoft documentation here and here

You can also use ICACLS.

To grant the Users group Full Control to a folder:

To grant Modify permission to IIS users for C:\MyFolder (if you need your IIS has ability to R/W files into specific folder):

If you do ICACLS /? you will be able to see all available options.

Open a Command Prompt, then execute this command:

icacls «c:\somelocation\of\path» /q /c /t /grant Users:F

F gives Full Access.

/q /c /t applies the permissions to subfolders.

Note: Sometimes «Run as Administrator» will help.

Use cacls command. See information here.

/p : Set new permission

/e : Edit permission and kept old permission as it is i.e. edit ACL instead of replacing it.

C — Change (write)

F — Full control

For example grant Rocky Full (F) control with following command (type at Windows command prompt):

C:> CACLS files /e /p rocky:f

Read complete help by typing following command:

I try the below way and it work for me:
1. open cmd.exe
2. takeown /R /F *.*
3. icacls * /T /grant [username]:(D)
4. del *.* /S /Q

So that the files can become my own access and it assign to «Delete» and then I can delete the files and folders.

Corrupt Permissions: Regaining access to a folder and its sub-objects

Although most of the answers posted in reply to the question have some merit, IMHO none of them give a complete solution. The following (might be) a perfect solution for Windows 7 if you are locked-out of a folder by corrupted permission settings:

For Windows 10 the user/SID must be specified after the /remove:d option:

The command is applied to the specified directory.

Specifying the user «Everyone» sets the widest possible permission, as it includes every possible user.

The option «/remove:d» deletes any explicit DENY settings that may exist, as those override explicit ALLOW settings: a necessary preliminary to creating a new ALLOW setting. This is only a precaution, as there is often no DENY setting present, but better safe than sorry.

The option «/grant» creates a new ALLOW setting, an explicit permission that replaces («:r») any and all explicit ALLOW settings that may exist.

The «F» parameter (i.e. the permission created) makes this a grant of FULL control.

The «/T» parameter adds recursion, applying these changes to all current sub-objects in the specified directory (i.e. files and subfolders), as well as the folder itself.

The «(OI)» and «(CI)» parameters also add recursion, applying these changes to sub-objects created subsequently.
.

ADDENDUM (2019/02/10) —

The Windows 10 command line above was kindly suggested to me today, so here it is. I haven’t got Windows 10 to test it, but please try it out if you have (and then will you please post a comment below).

The change only concerns removing the DENY setting as a first step. There might well not be any DENY setting present, so that option might make no difference. My understanding is, on Windows 7, that you don’t need to specify a user after /remove:d but I might be wrong about that!

ADDENDUM (2019/11/21) —

User astark recommends replacing Everyone with the term *S-1-1-0 in order for the command to be language independent. I only have an English install of Windows, so I can’t test this proposal, but it seems reasonable.

Читайте также:  Origin lab mac os