Why are you concerned about /root
That's just the home directory of the user
named "root." Having root access
gives your customer complete control of the (virtual?) system, so they can remount anything you've mounted as ro
if that's at all possible. (I presume that you're thinking of physically disabling write access to the "ro" DASD?)
If you're not concerned about security, what's the point in this exercise?
By the way, one of the design goals of the Multics
system (from which UNIX
are direct dependents) is that any user may substitute their own executable image for any default executable. The kernel will always use the first executable it finds in $PATH
to satisfy a command execution request. So "protecting" the root file system (which is /
, not /root
if you've followed the standard naming conventions) will not protect your users from messing up their own system.
As I suggested in my last post, implementing the file attribute controls of selinux
might be a better, and easier, way to achieve your goals, if I have understood what you're trying to accomplish.