Device mounted as read only but I can still write to it (CentOS 6.8)

Question

I have CentOS 6.8 installed on a flash drive and due to its limited life-cycle (100,000 writes (mean time before failure for each sector)), I want to mount it as read-only.

The kernel is supposedly launching as ro. At least, the result of cat /proc/cmdline starts with "ro ...".

I have set up /etc/fstab to mount read-only:

UUID=4addd4a7-97f6-4399-89e4-6d3728bd2979 /     ext4    defaults,noatime,ro        1 1
UUID=21a81149-6534-4313-8696-e203896d5881 /boot ext4    defaults,noatime,ro        1 2
UUID=D64B-DD9C          /boot/efi               vfat    noatime,ro,umask=0077,shortname=winnt 0 0
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
tmpfs                   /var/log                tmpfs   defaults        0 0

When I run mount, I see that the specifications in /etc/fstab were followed. In spite of this, I still can modify files and write new files. Further evidence of the mount being writable is running lsof (according to this post). The results shows a few files open for writing, mostly on /home. (In order to arrive at this, I had to mount /var/log as tmpfs.)

Is this a bug in CentOS 6.8? Is there a workaround?

mikejonesey · Accepted Answer · 2016-10-28T20:35:45.057

I remember reading somewhere, probably in the man pages that there is a kind of bug which means to make a device read only you have to also remount the device.

mount -o remount,ro ...

try adding a remount after the other entries in fstab, ps mount can be provided the filesystem "none" in fstab.

UPDATE:

I found the relevant man entry;

   mount(8) since v2.27 allows to change the mount options by passing the relevant options along with --bind.  For example:

          mount --bind,ro foo foo

   This feature is not supported by the Linux kernel; it is implemented in userspace by an additional mount(2) remounting syscall.  This solution is not atomic.

   The alternative (classic) way to create a read-only bind mount is to use the remount operation, for example:

          mount --bind olddir newdir
          mount -o remount,ro,bind olddir newdir

   Note that a read-only bind will create a read-only mountpoint (VFS entry), but the original filesystem superblock will  still  be  writable,  meaning  that  the  olddir  will  be
   writable, but the newdir will be read-only.

   It's impossible to change mount options recursively (for example with -o rbind,ro).

based off this you can try using the fstab options;

default,rbind,ro

failing that, add an entry for to re-mount.

UPDATE 2 (man 8 mount / man 8 mount blockdev);

   -r, --read-only
          Mount the filesystem read-only.  A synonym is -o ro.

          Note  that,  depending  on the filesystem type, state and kernel behavior, the system may still write to the device.  For example, ext3 and ext4 will replay the journal if
          the filesystem is dirty.  To prevent this kind of write access, you may want to mount an ext3 or ext4 filesystem with the ro,noload mount options or set the  block  device
          itself to read-only mode, see the blockdev(8) command.

That means you have the option of;

ro,noload

or to use;

blockdev --setro /dev/...

The snippet of the man page that you referenced only applies to bind mounts. — jayhendren, Oct 28 '16 at 20:18
set blockdev, or use noload, or format the disk to a filesystem that supports read only... or remount... — mikejonesey, Oct 28 '16 at 20:36
I believe this worked -- sent me into a kernel panic. The same thing happened when setting ro,umask=0555. — MrMas, Oct 28 '16 at 20:39

Device mounted as read only but I can still write to it (CentOS 6.8)

1 Answers1