diff --git a/meta-lxatac-software/conf/distro/tacos.conf b/meta-lxatac-software/conf/distro/tacos.conf
index 4f1ee5a0..5fdb7830 100644
--- a/meta-lxatac-software/conf/distro/tacos.conf
+++ b/meta-lxatac-software/conf/distro/tacos.conf
@@ -40,6 +40,10 @@ USERADD_ERROR_DYNAMIC = "error"
 USERADD_UID_TABLES = "files/passwd"
 USERADD_GID_TABLES = "files/group"
 
+# Mark /srv in the root filesystem as read only to prevent anyone from writing
+# to it before the /srv partition is mounted.
+FILESYSTEM_PERMS_TABLES += "files/fs-perms-srv-ro.txt"
+
 # do not include libc variant name in tmp directory
 TCLIBCAPPEND = ""
 
diff --git a/meta-lxatac-software/files/fs-perms-srv-ro.txt b/meta-lxatac-software/files/fs-perms-srv-ro.txt
new file mode 100644
index 00000000..e9763075
--- /dev/null
+++ b/meta-lxatac-software/files/fs-perms-srv-ro.txt
@@ -0,0 +1,5 @@
+# This matches the original fs-perms.txt.
+# The only difference is that write permissions for the owner were removed
+# (0755 -> 0555) to prevent anyone from writing to the rootfs /srv instead of
+# the /srv partition.
+/srv				0555	root	root	false - - -