Skip to content

Instantly share code, notes, and snippets.

@lirrensi

lirrensi/wsl-dev-sandbox.md

Last active March 23, 2026 19:55
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save lirrensi/c486c4acb05f996289477750f0477858 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save lirrensi/c486c4acb05f996289477750f0477858 to your computer and use it in GitHub Desktop.
Download ZIP
Isolate WSL for on-demand folder mounting with ease.
Raw
wsl-dev-sandbox.md

WSL Dev Sandbox Setup

Isolated WSL session that mounts only your current Windows folder — nothing else on your disk is visible or accessible. Goal: prevent WSL to see your c/d... drives and so on.

Run --dangerously-skip-permissions with ease!

Threat model:

  • wsl's home folder still open to anyone
  • drives NOT auto mounted
  • mounting a folder requires pwsh > cd into desired path > wsl-dev or similar command
  • mounting persists until WSL shutdown with timeout or wsl.exe --shutdown from the host. Means if you open 3 folders and close one shell - they stay there still.
  • you can still do whatever with sudo, but dont run your agents with root, they can mount c/ drive and wreak havoc. Prefer full VM instead for that.

What you get

  • Windows drives completely invisible inside WSL
  • Only your current project folder mounted at /mnt/project/<foldername>
  • Multiple sessions work simultaneously — each gets its own mount point
  • Auto-unmounts cleanly on exit
  • No sudo password prompts

Step 1 — Disable system drives access (inside WSL)

sudo nano /etc/wsl.conf

Paste this:

Option A — Maximum lockdown (no Explorer access)

Disables explorer integration entirely - you would not be able to access WSL drive from host with \wsl.localhost;

[automount]
enabled = false
mountFsTab = false

[interop]
enabled = false
appendWindowsPath = false

Option B — Explorer access + immediate unmount (recommended)

Keep automount but unmount immediately - this will effectively remove all automounted drives but keeps initial sock integration just enough so explorer works

[boot]
systemd=true
command = "for d in /mnt/[a-z]; do umount -l $d 2>/dev/null; done; true" # add this under boot;

[automount]
enabled = true
mountFsTab = false

[interop]
enabled = false
appendWindowsPath = false

Save: Ctrl+OEnterCtrl+X

Step 2 — Create the mount folder (inside WSL)

sudo mkdir -p /mnt/project
sudo chown user:user /mnt/project

Replace user with your actual WSL username.

Step 3 — Restart WSL (from PowerShell)

wsl --shutdown

Step 4 — Add function to PowerShell profile (on Windows)

Open your PowerShell profile:

notepad $PROFILE

Add this function:

function wsl-dev {
    $winPath = (Get-Location).Path
    $folderName = Split-Path $winPath -Leaf

    # root mounts the folder silently
    wsl --distribution Ubuntu_dev --user root bash -c "mkdir -p /mnt/project/$folderName && mount -t drvfs '$winPath' /mnt/project/$folderName"

    # your user enters the session
    wsl --distribution Ubuntu_dev --user user bash -c "
        cd /mnt/project/$folderName &&
        trap 'wsl.exe --distribution Ubuntu_dev --user root bash -c ""umount /mnt/project/$folderName""' EXIT &&
        exec bash --login
    "
}

Replace Ubuntu_dev with your distro name and user with your WSL username.

Usage

cd C:\your\project\folder
wsl-dev

You land inside WSL at /mnt/project/<foldername>. Your home folder ~ is also available. Everything else on your Windows disk is invisible.

Notes

  • If WSL is force-killed (wsl --shutdown) the trap won't fire — but that's fine, shutdown wipes all mounts anyway
  • To see active mounts: ls /mnt/project
  • To check your distro name: wsl --list in PowerShell
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment