> >> this way there is not place to install a setuid program/backdoor >> and most of the system binaries are on a readonly partition. > >That is a good point. The only problem with making /usr/local readonly >is that one must bring the system down to single user to install or >update anything, so there would be a tradeoff. Still, being aware of >that option, one can make an informed decision whether making local >ro is desired. Your partition arrangement above is EXACTLY like mine >other than the ro and nosuid options, and order of mounting: >/, /usr, /tmp, /usr/local, /var, home. > you can use the command mount -oremount,rw /usr to make /usr read/writeable but you will have to reboot to reset the readonly feature.