safety first!

sudoro

#!/bin/bash
# What's this?!
# Just a POC, so there might be caveats I did not think of. It gives you a root user with read-only filesystem access
# Uses a new, non-persistent filesystem namespace in order not to pollute the system's mounts (disappears when the command exists and is not seen by other processes)

# Example:
# kang$ sudoro
# root# touch /boot/aaa
# touch: cannot touch '/boot/aaa': Read-only file system

# Options explanation (or attempt at explaining what this really does):
# unshare -f -i -u -p -m # this starts a new namespace for: filesystem, process (PID), IPC, UTS (hostname) so that we do not touch the host fs
# fintmnt -n -r -U # this lists all current unique mounts on the system (ie whatever exists and we want to see as read-only)
# cut -f 1 -d ' '# this just cuts out the list of mounts and removes the options so that we can feed the list to mount
# xargs --no-run-if-empty -n1 -IXXX # this processes stdin (list of mounts) and repeats the mount name twice (replaces XXX)
# mount -r -R XXX XXX # this mounts as rbind, read-only (this is necessarily since busy filesystems cannot be remounted read-only unless they're bound - we bind back to ourselves in this case so that you only see a read-only filesystem)
sudo unshare -f -i -u -p -m -- /bin/bash -c "findmnt -n -r -U|cut -f 1 -d ' '|xargs --no-run-if-empty -n1 -IXXX mount -r -R XXX XXX && /bin/bash"

What about e.g.: export PATH="/foo/bar"; cp /bin/sh /foo/bar/findmnt; sudoro

this is not meant as a security control, but rather as a thing to avoid messing up the host system by mistake
you could also just do sudo -s otherwise at this point ;-)

a somewhat secure implementation would be interesting, i guess, though it's probably hard to do as a shell script

so, like, ok then: https://github.com/gdestuynder/sudoro/
the same comments remain but this might actually be somewhat decent