[CentOS] read only root file system

Mon May 26 22:15:16 UTC 2008
Filipe Brandenburger <filbranden at gmail.com>

On Sun, May 25, 2008 at 7:47 PM, Karanbir Singh <mail-lists at karan.org> wrote:
> Linux wrote:
>> A cd-rom can provide security as a readonly mount, but readonly
>> mounted ordinary filesystem/disk means almost nothing. Dont you read
>> comments like "administrator remounts read-write"? Why?
>
> If your blockdev is exposed to the OS as 'ro', your administator can go
> jump off a cliff if he wants, he's not geting +w on there.

Hmmm... interesting.

Is there a way to force the OS to see a SCSI disk or partition as a
"ro" blockdev like this? Nobody who doesn't have physical access
cannot write to the root filesystem. And yet you might be able to
reboot the machine (in "rw" mode, maybe another entry in grub menu?),
do your updates, and reboot the machine again turning it read-only. It
would be very useful indeed from the security point of view.

Thanks,
Filipe