Here is the scenario: there is a directory for FTP that users can write to, and then a "mirrored" directory (using mount --bind) that web users can read. There is absolutely no reason that the web users would ever need to write to this directory, so for security reasons I would like to set it to read-only. Unfortunately it seems mounting the directory as read-only (ro) is ineffective when used in combination with --bind.

let me show you the 2 mounts I speak of:
See how it says ro,bind? the "ro" is useless, but I put it there anyway.

The only other idea I have is to use samba to create a share, and then use smbmount to mount it as read-only with smbfs, but how incredibly inefficient is that ?

I think that you are confused about what --bind does. When you do the second mount you still only have one copy of the data. You just have two different paths to access the single copy of the data. Your second mount is just creating a second path to the data. It is not replicating the data.

What you need is some way of creating a backup copy of the data in a location where the users cannot update the second copy.

-------------------
Steve Stites

oh i'm not confused, i know exactly what it does. i think you are confused about what i am asking

still waiting on some comments..

Interesting, didn't know that before.

Then maybe just bind mount rw, then use the traditional way of controlling write access and directory protection -- setup the upload directory write access only to ftp, all other users read only access, by setting up proper group and directory & file modes.

Timing is everything. 2.6.24 was released this week and in the changes, I noticed this feature was added. Can't figure out how to use it though. Not as easy as just mounting read-only, I guess. Maybe a kernel change. Anyone know?

Note that when you use with --bind, the filesystem mount options remain the same as those on the original mount point.

They cannot be changed by passing the -o option along with --bind.

That is why the ro is ignored.