Linux下防止文件误删除的特殊方法

通常要用一些特殊的方法，防止误删除，其实误删除是可以防止的，特意删除是无法防止的。
误删除，通常是chattr +i filename
[root@imdba imdba_t2]# ls -ltr
total 116
-rw-rw—- 1 mysql mysql    61 Oct 17 16:08 db.opt
-rw-rw—- 1 mysql mysql  8556 Oct 17 16:09 imdba_t2_t.frm
-rw-rw—- 1 mysql mysql 98304 Oct 17 16:09 imdba_t2_t.ibd
[root@imdba imdba_t2]# chattr +i *
[root@imdba imdba_t2]# lsattr
—-i——– ./imdba_t2_t.ibd
—-i——– ./imdba_t2_t.frm
—-i——– ./db.opt
(root:NovaTestDB:Sat Oct 17 16:09:50 2009)[imdba_t2]> drop database imdba_t2;
ERROR 6 (HY000): Error on delete of ‘./imdba_t2//db.opt’ (Errcode: 1)
看上去这样可以防止一些人误删除，这样是不是感觉自己很聪明，别人很傻，就限制住了别人删除了呢？其实不然，看下面
(root:NovaTestDB:Sat Oct 17 16:10:08 2009)[imdba_t2]>
[root@imdba imdba_t2]# chattr -i *
[root@imdba imdba_t2]# lsattr
————- ./imdba_t2_t.ibd
————- ./imdba_t2_t.frm
————- ./db.opt
(root:NovaTestDB:Sat Oct 17 16:10:44 2009)[imdba_t2]> drop database imdba_t2;
Query OK, 1 row affected (0.01 sec)
是不是人家又把你的数据库删除了，哎，貌似是骗人的把戏。
经典的手法出现了，看 LCAP
介绍如下：
lcap allows a system administrator to remove specific capabilities from
the kernel in order to make the system more secure. lcap modifies the
value in the sysctl file /proc/sys/kernel/cap-bound. “Capabilities” are
a form of kernel-based access control. Linux kernel versions 2.2.11 and
greater include the idea of a “capability bounding set,” a list of
capabilities that can be held by any process on the system. If a
capability is removed from the bounding set, the capability may not be
used by any process on the system (even processes owned by root).
如果你不知道是啥，哎，搞“系统安全”的不能不知道这个网址：
http://packetstorm