How can I create a user with read-only access to all files? (ie root without writing permissions)
Might I suggest another method to solve your problem that's less maintenance intensive.
You can create ssh keys which have limited access to specific programs. I dislike granting root unrestricted access, but sometimes you need to enable certain commands to be run via remote. With ssh keys you can have your backup program run via ssh command.
Check out the 'AUTHORIZED_KEYS FILE FORMAT' section in your sshd man page (I'm assuming you're using OpenSSH).
http://man.openbsd.org/OpenBSD-current/man8/sshd.8
You could achieve that with ACLs. You'd still need a script running as root that changes the permissions of every file. See the man pages for ACL, setfacl and getfacl if you're interested.
There is a somewhat another way of creating this without using ACL's. But you need to practice caution here. Firstly, create a group, for example, called roroot (readonly root). Then apply that group id to all directories. Make the permissions for the group bits to be r-- or 400 octal, then you can create a user account just like an ordinary user, for example, rorootusr, with the next id set to whatever it is on your system, make it a member of a group roroot only, do not make it to be part of wheel,bin,etc, depending on what your groups are on your installation. The next bit is going to be kludgy. Open the /etc/passwd file using vim/nano/emacs/joe/ whatever editor rocks your boat, and look for the id you have just created, ie. rorootusr, the passwd file will look like this
root:x:0:0::/root:/bin/sh
Reading from left to right separated by colons you have user name, password (encrypted + shadowed), user id, group id, comment, home directory and shell. From the above example given
rorootusr:x:512:450:Root User RO:/home/rorootusr:/bin/bash
It is the 3rd field (512) that you change it to 0. 450 would be the group id for roroot. Save the edit session and you're done. Now rorootusr will have root access but is solely a member of the group roroot and has readonly access to the system.
Hope this helps, Best regards, Tom.