How to make secondary boot partitions read-only in OS X

HardDriveIconXDo you dual-boot your Mac with at least one other installation of OS X? If so then you might benefit from setting up each installation so the other boot partition that mounts is read-only.

When you install OS X, the drive it resides on will be formatted to Mac OS Extended, a format that is fully writable by any current version of OS X. As a result, when you load one OS X installation, the volume containing the other will mount as a secondary drive in which you can edit files.

While for the most part the contents of a secondary drive should not be affected if you ignore it, there is a possibility programs you use may attempt to change files on the drive. One approach to avoiding such changes is to manually unmount the drive (or create a script that does so), or prevent it from mounting in the first place so it remains relatively hidden and inaccessible, but this will prevent services like the OS X Startup Disk system preferences pane from seeing the boot partition.

As a result, it may be best practice to only mount secondary boot partitions as read-only, so you may still access data on them, but not inadvertently change data.

To do this, first open Disk Utility in the Applications > Utilities folder, and then select the secondary boot volume in the device list on the left-hand side of the window. Now press Command-i to get information on the volume. In the window that pops up, locate the “Universal Unique Identifier” (UUID) string, which is a series of letters and numbers separated by dashes. Select the entire UUID and press Command-c to copy it.

With this UUID in hand, you now need to edit the system’s “fstab” file with special code to have the volume mount in read-only mode:

  1. Open the Terminal utility
  2. Run the following command:
    sudo pico /etc/fstab
  3. Add the following line to the fstab file, and change the UUID from all zeros as shown here, to the value of the copied UUID from Disk Utility:
    UUID=00000000-0000-0000-0000-000000000000 none hfs ro
  4. Press Control-o to write the file changes, and then Control-x to exit the editor.
fstab file in the OS X Terminal

When you edit the fstab file and enter your drive’s UUID, specifying “ro” here will ensure the drive is mounted as “read only.”

With these changes in place, the next time you reboot your Mac, the volume specified by the UUID will be readable, but you will not be able to write to it.

Note that while this is outlined here for boot volumes, you can do this for any volume you attach to your Mac. The only thing to keep in mind is if you are using a Windows-compatible drive (ie, one formatted to FAT32), then you will need to specify this as “msdos” in the fstab entry, instead of “hfs.” Beyond this, the process is exactly the same.

5 thoughts on “How to make secondary boot partitions read-only in OS X

  1. B. Jefferson Le Blanc

    I’m hard pressed to see where this would be useful. If a boot volume is read only, it will almost certainly have problems if you actually try to boot from it. Virtual memory, for one thing, needs to be able to write to the boot volume. Other system operations also require write access for cache and log files and such. These problems seem to me to far outweigh the risk of some random write operations to the drive from another boot volume. Further, most boot volumes need to be accessed from time to time to update files and apps, like utilities, that you may keep on them. Both copying files and updating them require write access.

    Since you don’t give a real world example where it would be desirable to have a boot volume set to write only, I suspect you are equally hard pressed to imagine a case where this would be useful.

    I think this is the proverbial solution in search of a problem.

    1. Topher Kessler Post author

      No. This only makes the secondary (unused) boot volume read-only from within the current operating system. You will still be able to boot from it, and when you do so, the volume will be fully readable by the OS that is installed on it.

      What this does is prevent the drive from being modified when you are NOT booted to it.

      This can be a very good safety measure for systems with multiple boot partitions. The problem is very real and can be an issue if you are not careful.

      1. B. Jefferson Le Blanc

        OK. With that clarification the technique may have value though I still don’t know exactly what they might be. I often have numerous secondary drives with boot and data partitions connected to my system that I use in my Mac tech support business. I actually need to be able to manually update files on them on a regular basis, including non-Apple web browsers and various third-party utilities. If any files have been modified without my knowledge, as you describe, I have never noticed it. Another reason to keep them writable is so that I can do routine maintenance on the partitions to keep them operating at their best. I can’t afford to go to a job with a boot drive that won’t boot.

        I don’t mean to be a scold. If you can list some of the inappropriate operations that need to be prevented, I would be interested to know of them. As the saying goes, you cannot beat something with nothing. Your vague description arouses my curiosity but not my concern – as you offer nothing substantive to be concerned about.

  2. MaX

    Is there any application (GUI) to do it? This may be handy, for instance, when DiskWarrior asks to boot from a read-only disk like a CD-ROM but you do not want to waste CD-ROM any more.

  3. Rivera

    This could be useful for read-only data, like a movie collection that you want to avoid/minimize the possibility of getting corrupted by systems defragmentation or power losses.

Comments are closed.