logoalt Hacker News

messelast Friday at 10:11 AM0 repliesview on HN

Only if securelevel is 2. If securelevel = 1, then only mounted filesystems are RO. An attacker could conceivably forcibly unmount /var/log as root, and make the changes directly to the block device.