Make file read only on Linux even for root

Put it on a CD or a DVD. The once-writable kind, not the erasable ones. Or some other kind of a read-only device.

Ok, I suppose you want a software solution, so here are some ideas: You could possibly create an SELinux ruleset that disables the syscall (*) that chattr uses, even for root. Another possibility would be to use capabilities: setting +i requires the CAP_LINUX_IMMUTABLE capability, so if you can arrange the capability bounding set of all processes to not include that, then no-one can change those flags. But you'd need support from init to have that apply to all processes. Systemd can do that, but I think it would need to be done for each service separately.

(* maybe it was an ioctl instead.)

However, if you do that, remember that a usual root can modify the filesystem from the raw device (that's what debugfs is for), so you'd need to prevent that, too, as well as prevent modifying the kernel (loading modules). Loading modules can be prevented with the kernel.modules_disabled sysctl, but I'm not sure about preventing access to raw devices. And make all the relevant configuration files also immutable.

Anyway, after that, you'd also need to prevent changing the way the system boots, otherwise someone could reboot the system with a kernel that allows overriding the above restrictions.


There is no way to do this. SOMEONE will always be able to revert the file to a writable status, unless it's on read-only media like a CD-ROM. You can effectively prevent root from doing so using SELinux permissions (I don't know how to do so, or I would provide an example), but then the user that does have permissions would still be able to undo things.


What you want is Mandatory Access Control. It allows you to specify a set of permissions which the kernel will not allow to be overridden, even by root. SELinux is one well-known such system, Smack is another example, and AppArmor is a third such system. In Linux, they are implemented as Linux Security Modules, a general-purpose facility for controlling access outside the traditional UNIX-like security model. In addition to the existing general-purpose systems, you could of course create your own for a special purpose.

Of course, root has the ability to turn the entire facility on or off or change the MAC permissions of files, and some of these systems even allow those capabilities to be granted to non-root users. However, it's also possible, depending on the system, to disable this ability. I know SELinux and Smack make this possible; I doubt all LSMs do. Once disabled, the only way to regain the ability is to reboot the kernel. You will then want your boot process to disable the capability before user access is enabled. If your kernel and boot process are secure, such a configuration could (at least in theory) be changed only by physically removing the storage media to change it.

As an example, if you were using SMACK, you could do:

chsmack -a _ <file>

This would set the file to have the special label "_" which allows only read or execute access, but never write. Now even root cannot write this file (once SMACK has been activated and the security override capability has been disabled, as mentioned above).

However, you must also ensure that your kernel is secure. By default, it is easy for root to subvert the kernel, because the kernel trusts the root user. If root can just remove the security module, it doesn't help very much. A list of such methods is here, but note that no such list can ever truly be complete for all circumstances.

Finally, depending on your circumstances, you may need to secure your boot process. For a machine where you have sole physical access, this might not be needed, but for maximum security you really want encrypted filesystems and a secure way of booting the kernel, such as UEFI Secure Boot.