httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Kraemer <>
Subject Re: file attribute questions
Date Tue, 21 Aug 2001 14:43:41 GMT
On Tue, Aug 21, 2001 at 08:36:33AM +0200, Kraemer, Martin wrote:
> Luckily there are VERY few programs which rely on the correct implementation
> of the semantics of the ctime field.

I failed to give an example for a program which relies on the unix
semantics for ctime.

Let's first recall that the *system* sets the value of the ctime field
whenever *the system* makes a change to the inode. There is no function
to manipulate the st_ctime value and set it to arbitrary values
(unless you consider changing the hardware clock to arbitrary values
an "interface").

Based on that fact, the value of the ctime field cannot be controlled
by a non-super-user, and can be used to monitor changes to a file,
for example:
  - change in number of hard links to the file
  - change in size, or inode allocations,
  - but also, changing of the mtime or atime stamps (e.g. to "hide"
    the malevolent modification of a /usr/sbin/sshd trojan)

And it is this functionality which is used for example by the
well known tripwire program to monitor the integrity of important
system files. A ctime change on a system file CAN point to trouble.

<>    |       Fujitsu Siemens
       <>              |   81730  Munich,  Germany

View raw message