Set read only linux

How to mount a hard disk as read-only from the terminal

You do not mount /dev/sda , that refers to the entire disk. You mount /dev/sda1 or whatever partition you want.

Make a mount point, call it anything you like.

sudo mount -o ro /dev/sda1 /media/2tb 

When your done, you should unmount the disk

When mounting the filesystem read-only, some trouble may happen. The system may try to write into the device anyway and fail.

For that reason the noload flag may be used, to notify to the system that the disk is blocked.

The best solution I found was:

sudo mount -o ro,noload /dev/sda1 /media/2tb 

The manual of mount(8) explains this options as follows:

-r , —read-only

Mount the filesystem read-only. A synonym is -o ro .

Note that, depending on the filesystem type, state and kernel behavior, the system may still write to the device. For example, Ext3 or ext4 will replay its journal if the filesystem is dirty. To prevent this kind of write access, you may want to mount ext3 or ext4 filesystem with ro,noload mount options or set the block device to read-only mode, see command blockdev(8) .

[…]

norecovery / noload

Don’t load the journal on mounting. Note that if the filesystem was not unmounted cleanly, skipping the journal replay will lead to the filesystem containing inconsistencies that can lead to any number of problems.

Yes, when I was trying to mount a single disk from an old RAID 1 array, I was able to mount it only with nolaod option — sudo mount -o ro,noload /dev/md0 /mnt/disk1 once I have rebuilt the array with sudo mdadm —assemble —readonly /dev/md0 /dev/sda

I am plugging a USB connected drive into Ubuntu 12.04 and the system is mounting it automatically. In Terminal, if I just say mount it shows me the current info. I want to remount it read-only.

Extrapolated from man mount(8) :

sudo mount -o remount,ro /dev/sdb4 /media/HP_TOOLS 

Seemed to work nicely. Had to do it for each automounted partition.

Step 1: After connecting the disk to the machine, give the command below to see what it shows the disk as.

It will show the disk as /dev/sda or /dev/sdb with a partion table.

Disk /dev/sdb: 7.5 GiB, 8053063680 bytes, 15728640 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x0e0e8e70 Device Boot Start End Sectors Size Id Type /dev/sdb1 * 0 2902111 2902112 1.4G 0 Empty /dev/sdb2 2888004 2892739 4736 2.3M ef EFI (FAT-12/16/32) 

Step 2: Execute the command below to see where it is mounted. For example,

$ sudo df -HT Filesystem Type Size Used Avail Use% Mounted on udev devtmpfs 4.2G 0 4.2G 0% /dev tmpfs tmpfs 829M 10M 819M 2% /run /dev/mapper/ubuntu--vg-root ext4 484G 149G 311G 33% / tmpfs tmpfs 4.2G 20M 4.2G 1% /dev/shm tmpfs tmpfs 5.3M 4.1k 5.3M 1% /run/lock tmpfs tmpfs 4.2G 0 4.2G 0% /sys/fs/cgroup /dev/sda1 ext2 495M 111M 359M 24% /boot /dev/sdb1 iso9660 1.5G 1.5G 0 100% /media/username/Ubuntu 

Step 3: Finally execute the command below to remount it as an ro only.

sudo mount -o remount,ro /dev/sdb1 /media/username/Ubuntu 

Источник

Make file read only on Linux even for root

I know about the chattr +i filename command which makes a file read only for all users. However, the problem is that I can revoke this by using chattr -i filename . Is there a way to make a file readable by everyone on the system, but not writable by anyone, even the root, and with no going back (No option to make it writable again)?

I don’t think there is a way to do that. You would always be able to «go back» if you are root. What is it you are trying to accomplish with this? Maybe we can come up with another solution. Does someone else have root access to your system but you don’t trust them?

Depending on what you’re trying to accomplish, you might want to digitally sign the file using public key encryption, so that although someone could modify it, other people would be able to detect that.

Honestly, it just doesn’t make sense to do this in practice. It’s a perfectly good question to ask out of curiosity, but if you actually have a situation where you want to prevent a person with root access from modifying a file, you have much bigger problems than can be solved with filesystem permissions.

5 Answers 5

Put it on a CD or a DVD. The once-writable kind, not the erasable ones. Or some other kind of a read-only device.

Ok, I suppose you want a software solution, so here are some ideas: You could possibly create an SELinux ruleset that disables the syscall (*) that chattr uses, even for root. Another possibility would be to use capabilities: setting +i requires the CAP_LINUX_IMMUTABLE capability, so if you can arrange the capability bounding set of all processes to not include that, then no-one can change those flags. But you’d need support from init to have that apply to all processes. Systemd can do that, but I think it would need to be done for each service separately.

(* maybe it was an ioctl instead.)

However, if you do that, remember that a usual root can modify the filesystem from the raw device (that’s what debugfs is for), so you’d need to prevent that, too, as well as prevent modifying the kernel (loading modules). Loading modules can be prevented with the kernel.modules_disabled sysctl, but I’m not sure about preventing access to raw devices. And make all the relevant configuration files also immutable.

Anyway, after that, you’d also need to prevent changing the way the system boots, otherwise someone could reboot the system with a kernel that allows overriding the above restrictions.

And don’t forget about mount —bind modified-file original-file , which often achieves the same result as modifying the file without actually doing so

chatter +i is advisory as well. /dev/sd?? are writable as root and I can think of a host of other ways. SELinux kind of works.

Yeah, that’s pretty much the point, you’d need to first prevent modifying the file, and then prevent making changes to the restrictions.

What you want is Mandatory Access Control. It allows you to specify a set of permissions which the kernel will not allow to be overridden, even by root. SELinux is one well-known such system, Smack is another example, and AppArmor is a third such system. In Linux, they are implemented as Linux Security Modules, a general-purpose facility for controlling access outside the traditional UNIX-like security model. In addition to the existing general-purpose systems, you could of course create your own for a special purpose.

Of course, root has the ability to turn the entire facility on or off or change the MAC permissions of files, and some of these systems even allow those capabilities to be granted to non-root users. However, it’s also possible, depending on the system, to disable this ability. I know SELinux and Smack make this possible; I doubt all LSMs do. Once disabled, the only way to regain the ability is to reboot the kernel. You will then want your boot process to disable the capability before user access is enabled. If your kernel and boot process are secure, such a configuration could (at least in theory) be changed only by physically removing the storage media to change it.

As an example, if you were using SMACK, you could do:

This would set the file to have the special label «_» which allows only read or execute access, but never write. Now even root cannot write this file (once SMACK has been activated and the security override capability has been disabled, as mentioned above).

However, you must also ensure that your kernel is secure. By default, it is easy for root to subvert the kernel, because the kernel trusts the root user. If root can just remove the security module, it doesn’t help very much. A list of such methods is here, but note that no such list can ever truly be complete for all circumstances.

Finally, depending on your circumstances, you may need to secure your boot process. For a machine where you have sole physical access, this might not be needed, but for maximum security you really want encrypted filesystems and a secure way of booting the kernel, such as UEFI Secure Boot.

Источник

How to Open a File in Read-Only Mode on Linux

In Linux, opening a file in read-only mode can be useful to prevent accidental modifications to the file contents. Read-only mode allows you to view the contents of the file, but you cannot make any changes to it. In this guide, we will show you how to open a file in read-only mode using various Linux commands.

Option 1: Using the less command

The less command is a powerful utility for viewing file contents on Linux. To open a file in read-only mode using less, simply use the “-R” option:

This will open the file in read-only mode, and you can view the contents of the file without the ability to modify it. To exit the less command, press the “q” key.

Option 2: Using the cat command

The cat command is another popular command for viewing file contents on Linux. To open a file in read-only mode using cat, simply use the “-v” and “-E” options:

This will display the contents of the file in read-only mode. The “-v” option will display non-printable characters, and the “-E” option will display a “$” character at the end of each line.

Option 3: Using the view command

The view command is a read-only version of the vi editor. To open a file in read-only mode using view, simply use the “-R” option:

This will open the file in read-only mode, and you can view the contents of the file without the ability to modify it. To exit the view command, press the “q” key.

Option 4: Using the chmod command

You can also use the chmod command to set the file permissions to read-only mode. To set the file permissions to read-only, use the following command:

This will set the file permissions to read-only mode, and you will not be able to modify the contents of the file. To revert the file permissions back to their original state, use the following command:

Commands Mentioned:

• less – displays file contents in a paginated manner
• cat – displays file contents
• view – opens a file in read-only mode using the vi editor
• chmod – changes file permissions

Conclusion:

In this guide, we have shown you how to open a file in read-only mode using various Linux commands. Opening a file in read-only mode can be useful to prevent accidental modifications to the file contents. The less, cat, and view commands allow you to view the contents of a file in read-only mode, while the chmod command allows you to set the file permissions to read-only mode.

Dimitri Nek

Dimitri is a Linux-wielding geek from Newport Beach and a server optimization guru with over 20 years of experience taming web hosting beasts. Equipped with an arsenal of programming languages and an insatiable thirst for knowledge, Dimitri conquers website challenges and scales hosting mountains with unmatched expertise. His vast knowledge of industry-leading hosting providers allows him to make well-informed recommendations tailored to each client’s unique needs.

Источник