mount immutable, unchangeably except by reboot?
I would like to mount some filesystems or directories "immutable",
so that their files can't be altered or added to,
except by rebooting.
I currently use
chattr +i filenames
to make individual files immutable.
Then I alter the kernel with
lcap CAP_LINUX_IMMUTABLE
so this immutability can't be changed without a reboot.
As a result, those files cannot be altered without reboot,
which is awkward for upgrades, but acceptably awkward to
greatly limit attacks.
Unfortunately, the use of "chattr" requires me to change
tens of thousands of files, which takes time.
It also alters the files atime, so an "aide"
check for file changes doesn't straight forwardly work
(although I could remount with "-o noatime").
A better approach would make all of a directory's or mount's files read-only
unless the computer is rebooted.
Unfortunately, "mount -o ro" can be changed with "mount -o rw" without
reboot.
A few hard drives are manufactured that can be physically changed to read-only,
but this becomes awkward, especially for later file changes,
but is also difficult to even purchase such a drive.
Another possible approach "chattr +i some-directory"
prevents removing or adding files from that directory,
but does not prevent changing the files in that directory!
And I know of no trick like "chmod +t some-directory"
to prevent all users (including root) from changing that file
except by reboot.
Does anyone know how I might mount a filesystem or directory "immutably",
except by reboot.
--
Jameson C. Burt, NJ9L Fairfax, Virginia, USA
jameson@coost.com http://www.coost.com
(202) 690-0380 (work)
LTSP.org: magic "mysterious and awe-inspiring even though
we know they are real and not supernatural"
Reply to: