12 Mar
2025
12 Mar
'25
3:02 a.m.
As someone interested in security, I liked the concept of 'inode change
time'. Creation time is certainly a change, so that fits too.
Changing permissions or overwriting of binaries with trojans was a popular
hacking technique in the 90s. Trojan installation scripts would often
contain commands (touch) to replace the inode modify times, but that
changed the inode change times too, making ctime a more reliable indicator
of tampering.
The workaround for that was to change the system clock to the desired
ctime, modify the binary, then change the system clock back. Fortunately,
setting system clocks back arbitrarily no longer works in systems I've
used. Perhaps someone knows more about this change?
Rik
On Tue, Mar 11, 2025 at 7:49 PM Larry McVoy <lm(a)mcvoy.com> wrote:
I had the exact same reaction, I think I saw the time
created and liked
that semantic. When it morphed into inode change time, as a source
management guy, I'd much rather have create time than changed time
since I already got access and modified times.
On Wed, Mar 12, 2025 at 01:31:37PM +1100, Rob Pike wrote:
Or perhaps the comment was wrong?
I do remember being confused by it.
-rob
On Wed, Mar 12, 2025 at 1:19???PM Theodore Ts'o <tytso(a)mit.edu> wrote:
> As part of a discusion on the Linux kernel mailing list, there was an
> assertion that ctime was orginally "creation time".
>
> From the v7 sources in TUHS, we can see:
>
> struct dinode
> {
> unsigned short di_mode; /* mode and type of file */
> short di_nlink; /* number of links to file */
> short di_uid; /* owner's user id */
> short di_gid; /* owner's group id */
> off_t di_size; /* number of bytes in file */
> char di_addr[40]; /* disk block addresses */
> time_t di_atime; /* time last accessed */
> time_t di_mtime; /* time last modified */
> time_t di_ctime; /* time created */
> };
>
> ... although the v7 kernel sources does seem to update ctime when the
> inode metadata changes, regardless of what the coment in
> /usr/src/sys/h/ino.h might say.
>
> More interestingly, this comment seems to continue in newer versions
> up to 3BSD, and then the comments becomes "change time" in BSD 4.2,
> probably coincident with the File System Implementation?
>
> The best we can guess is that the change from "creation time" to
> "inode change time" happened sometime between 1979 and 1982. Does
> anyone who was around can give the story about how and when this
> happened?
>
> - Ted
>
--
---
Larry McVoy Retired to fishing
http://www.mcvoy.com/lm/boat