通常要用一些特殊的方法，防止误删除，其实误删除是可以防止的，特意删除是无法防止的。

误删除，通常是chattr +i filename
[root@imdba imdba_t2]# ls -ltr
total 116
-rw-rw—- 1 mysql mysql    61 Oct 17 16:08 db.opt
-rw-rw—- 1 mysql mysql  8556 Oct 17 16:09 imdba_t2_t.frm
-rw-rw—- 1 mysql mysql 98304 Oct 17 16:09 imdba_t2_t.ibd
[root@imdba imdba_t2]# chattr +i *
[root@imdba imdba_t2]# lsattr
—-i——– ./imdba_t2_t.ibd
—-i——– ./imdba_t2_t.frm
—-i——– ./db.opt
(root:NovaTestDB:Sat Oct 17 16:09:50 2009)[imdba_t2]> drop database imdba_t2;
ERROR 6 (HY000): Error on delete of ‘./imdba_t2//db.opt’ (Errcode: 1)
看上去这样可以防止一些人误删除，这样是不是感觉自己很聪明，别人很傻，就限制住了别人删除了呢？其实不然，看下面
(root:NovaTestDB:Sat Oct 17 16:10:08 2009)[imdba_t2]>
[root@imdba imdba_t2]# chattr -i *
[root@imdba imdba_t2]# lsattr
————- ./imdba_t2_t.ibd
————- ./imdba_t2_t.frm
————- ./db.opt
(root:NovaTestDB:Sat Oct 17 16:10:44 2009)[imdba_t2]> drop database imdba_t2;
Query OK, 1 row affected (0.01 sec)
是不是人家又把你的数据库删除了，哎，貌似是骗人的把戏。

经典的手法出现了，看 LCAP
介绍如下：
lcap allows a system administrator to remove specific capabilities from the kernel in order to make the system more secure. lcap modifies the value in the sysctl file /proc/sys/kernel/cap-bound. “Capabilities” are a form of kernel-based access control. Linux kernel versions 2.2.11 and greater include the idea of a “capability bounding set,” a list of capabilities that can be held by any process on the system. If a capability is removed from the bounding set, the capability may not be used by any process on the system (even processes owned by root).
如果你不知道是啥，哎，搞“系统安全”的不能不知道这个网址： http://packetstormsecurity.org/ 去搜索吧!!

[root@imdba Nova]# tar jxvf lcap-0.0.3.tar.bz2
lcap-0.0.3/
lcap-0.0.3/COPYING
lcap-0.0.3/INSTALL
lcap-0.0.3/Makefile
lcap-0.0.3/README
lcap-0.0.3/lcap.c
lcap-0.0.3/lcap.spec
lcap-0.0.3/lcap.8
[root@imdba lcap-0.0.3]# make
cc -O3 -Wall -DVERSION=`cat lcap.spec | grep ^Version: | cut -d\  -f2`   -c -o lcap.o lcap.c
cc -s  lcap.o   -o lcap
[root@imdba lcap-0.0.3]# ./lcap
Current capabilities: 0xFFFFFEFF
0) *CAP_CHOWN                   1) *CAP_DAC_OVERRIDE
2) *CAP_DAC_READ_SEARCH         3) *CAP_FOWNER
4) *CAP_FSETID                  5) *CAP_KILL
6) *CAP_SETGID                  7) *CAP_SETUID
8)  CAP_SETPCAP                 9) *CAP_LINUX_IMMUTABLE
10) *CAP_NET_BIND_SERVICE       11) *CAP_NET_BROADCAST
12) *CAP_NET_ADMIN              13) *CAP_NET_RAW
14) *CAP_IPC_LOCK               15) *CAP_IPC_OWNER
16) *CAP_SYS_MODULE             17) *CAP_SYS_RAWIO
18) *CAP_SYS_CHROOT             19) *CAP_SYS_PTRACE
20) *CAP_SYS_PACCT              21) *CAP_SYS_ADMIN
22) *CAP_SYS_BOOT               23) *CAP_SYS_NICE
24) *CAP_SYS_RESOURCE           25) *CAP_SYS_TIME
26) *CAP_SYS_TTY_CONFIG
* = Capabilities currently allowed
[root@imdba lcap-0.0.3]# ./lcap 9
这样有什么用呢？看看具体的IMMUTABLE就知道了，下面演示
[root@imdba imdba_t2]# chattr -i *
chattr: Operation not permitted while setting flags on db.opt
chattr: Operation not permitted while setting flags on imdba_t2_t.frm
chattr: Operation not permitted while setting flags on imdba_t2_t.ibd
那现在有什么办法呢？既然内核参数都已经调整了，那我们看下面这句话后就有答案了，只能重启系统，所以说对于设置删除标记的一些限制，貌似还是很安全的。。
Messing around with LCAP can severly mess up your system, so be very
careful.  You may need to reboot quite often when testing out
the deletion of various capabilities.
下面是一些官方文档的，使用帮助，贴上，请参考。
Syntax:
lcap -h
Shows a help message.
lcap
Shows current settings.
lcap [-v[v]] capability …
Remove capabilities (using either name or bit number) from bounding
set.  The -v[v] option provides verbose and more verbose messages.
lcap [-v[v]] -z capability …
Zero out the bounding set except for the capabilities listed.
This allows for shorter command lines if more capabilities are to
be zeroed out than kept.

bit capability (short description)
———————————-
00  CAP_CHOWN (chown(2)/chgrp(2)) —————————————+
01  CAP_DAC_OVERRIDE (DAC access) ————————————–+|
02  CAP_DAC_READ_SEARCH (DAC read) ————————————+||
03  CAP_FOWNER (owner ID not equal to user ID) ———————–+|||
04  CAP_FSETID (effective user ID not equal to owner ID) ————+||||
05  CAP_KILL (real/effective ID not equal to process ID) ———–+|||||
06  CAP_SETGID (setgid(2)) —————————————-+||||||
07  CAP_SETUID (set*uid(2)) ————————————–+|||||||
08  CAP_SETPCAP (transfer capability) —————————+||||||||
09  CAP_LINUX_IMMUTABLE (immutable and append file attributes) -+|||||||||
10  CAP_NET_BIND_SERVICE (binding to ports below 1024) ——–+||||||||||
11  CAP_NET_BROADCAST (broadcast/listening to multicast) —–+|||||||||||
12  CAP_NET_ADMIN (interface/firewall/routing changes) ——+||||||||||||
13  CAP_NET_RAW (raw sockets) ——————————+|||||||||||||
14  CAP_IPC_LOCK (locking of shared memory segments) ——+||||||||||||||
15  CAP_IPC_OWNER (IPC ownership checks) —————–+|||||||||||||||
16  CAP_SYS_MODULE                                         |||||||||||||||
(insertion and removal of kernel modules) ———+||||||||||||||||
17  CAP_SYS_RAWIO (ioperm(2)/iopl(2) access) ———–+|||||||||||||||||
18  CAP_SYS_CHROOT (chroot(2)) ————————+||||||||||||||||||
19  CAP_SYS_PTRACE (ptrace(2)) ———————–+|||||||||||||||||||
20  CAP_SYS_PACCT                                     ||||||||||||||||||||
(configuration of process accounting) ———+||||||||||||||||||||
21  CAP_SYS_ADMIN (tons of admin stuff) ————+|||||||||||||||||||||
22  CAP_SYS_BOOT (reboot(2)) ———————-+||||||||||||||||||||||
23  CAP_SYS_NICE (nice(2)) ———————–+|||||||||||||||||||||||
24  CAP_SYS_RESOURCE (setting resource limits) –+||||||||||||||||||||||||
25  CAP_SYS_TIME (setting system time) ———+|||||||||||||||||||||||||
26  CAP_SYS_TTY_CONFIG (tty configuration) —-+||||||||||||||||||||||||||
|||||||||||||||||||||||||||
kernel_cap_t                              00000000000000000000000000000000