Is there any way to do this, so as to prevent e.g. a live USB stick boot sector from being accidentally or deliberately overwritten while the stick is booted? Preferably without making filesystems on the stick read-only? Basically, as things are normally, the USB device node looks like this /dev/sdb root:root -rw-r--r-- I want it to be permanently set to /dev/sdb root:root -r--r--r-- and that actually enforced, at some time early in the boot process. Is this possible without a mandatory access control framework? Edit: No, it is not possible without mandatory access control. N/M. Too bad local privilege escalation holes are so frequent on Linux.