readonlyuser

A user read-only access account.

Note: As the filesystem is read only, some commands won't work, such as vi that requires write access into /var/tmp to create a temporary file.

To setup read-only access a "new root" directory such are "/var/read-only" is created,.Under this directory "/" is mounted as read-only.

Here is a diagram of the directory structure.

/
| | | |
var usr adm <etc>
|
read-only
|
/ (Note: this link is a read-only mount of /)
| | | |
var usr adm <etc> (Note: these directories are picked up even if they are separate mounted filesystems.)
|
read-only
(Note: no it doesn't get cyclic at this point)

When a user logs in, instead of running a shell such as /sbin/sh in the password file, readonlyshell which has suid privileges runs. It changes the root directory for the user to "/var/read-only", sets a couple of shell variables and changes directory to the "/" directory, now "/var/read-only". Lastly it runs a bash shell.