Linux下防止文件误删除的特殊方法
通常要用一些特殊的方法,防止误删除,其实误删除是可以防止的,特意删除是无法防止的。
误删除,通常是chattr +i filename
[root@imdba imdba_t2]# ls -ltr
total 116
-rw-rw—- 1 mysql mysql 61 Oct 17 16:08 db.opt
-rw-rw—- 1 mysql mysql 8556 Oct 17 16:09 imdba_t2_t.frm
-rw-rw—- 1 mysql mysql 98304 Oct 17 16:09 imdba_t2_t.ibd
[root@imdba imdba_t2]# chattr +i *
[root@imdba imdba_t2]# lsattr
—-i——– ./imdba_t2_t.ibd
—-i——– ./imdba_t2_t.frm
—-i——– ./db.opt
(root:NovaTestDB:Sat Oct 17 16:09:50 2009)[imdba_t2]> drop database imdba_t2;
ERROR 6 (HY000): Error on delete of ‘./imdba_t2//db.opt’ (Errcode: 1)
看上去这样可以防止一些人误删除,这样是不是感觉自己很聪明,别人很傻,就限制住了别人删除了呢?其实不然,看下面
(root:NovaTestDB:Sat Oct 17 16:10:08 2009)[imdba_t2]>
[root@imdba imdba_t2]# chattr -i *
[root@imdba imdba_t2]# lsattr
————- ./imdba_t2_t.ibd
————- ./imdba_t2_t.frm
————- ./db.opt
(root:NovaTestDB:Sat Oct 17 16:10:44 2009)[imdba_t2]> drop database imdba_t2;
Query OK, 1 row affected (0.01 sec)
是不是人家又把你的数据库删除了,哎,貌似是骗人的把戏。
经典的手法出现了,看 LCAP
介绍如下:
lcap allows a system administrator to remove specific capabilities from the kernel in order to make the system more secure. lcap modifies the value in the sysctl file /proc/sys/kernel/cap-bound. “Capabilities” are a form of kernel-based access control. Linux kernel versions 2.2.11 and greater include the idea of a “capability bounding set,” a list of capabilities that can be held by any process on the system. If a capability is removed from the bounding set, the capability may not be used by any process on the system (even processes owned by root).
如果你不知道是啥,哎,搞“系统安全”的不能不知道这个网址: http://packetstormsecurity.org/ 去搜索吧!!
