As someone interested in security, I liked the concept of 'inode change time'. Creation time is certainly a change, so that fits too.

Changing permissions or overwriting of binaries with trojans was a popular hacking technique in the 90s. Trojan installation scripts would often contain commands (touch) to replace the inode modify times, but that changed the inode change times too, making ctime a more reliable indicator of tampering.

The workaround for that was to change the system clock to the desired ctime, modify the binary, then change the system clock back. Fortunately, setting system clocks back arbitrarily no longer works in systems I've used. Perhaps someone knows more about this change?

Rik

On Tue, Mar 11, 2025 at 7:49 PM Larry McVoy <lm@mcvoy.com> wrote:
I had the exact same reaction, I think I saw the time created and liked
that semantic.  When it morphed into inode change time, as a source
management guy, I'd much rather have create time than changed time
since I already got access and modified times.

On Wed, Mar 12, 2025 at 01:31:37PM +1100, Rob Pike wrote:
> Or perhaps the comment was wrong?
>
> I do remember being confused by it.
>
> -rob
>
>
> On Wed, Mar 12, 2025 at 1:19???PM Theodore Ts'o <tytso@mit.edu> wrote:
>
> > As part of a discusion on the Linux kernel mailing list, there was an
> > assertion that ctime was orginally "creation time".
> >
> > From the v7 sources in TUHS, we can see:
> >
> > struct dinode
> > {
> >         unsigned short  di_mode;        /* mode and type of file */
> >         short   di_nlink;       /* number of links to file */
> >         short   di_uid;         /* owner's user id */
> >         short   di_gid;         /* owner's group id */
> >         off_t   di_size;        /* number of bytes in file */
> >         char    di_addr[40];    /* disk block addresses */
> >         time_t  di_atime;       /* time last accessed */
> >         time_t  di_mtime;       /* time last modified */
> >         time_t  di_ctime;       /* time created */
> > };
> >
> > ... although the v7 kernel sources does seem to update ctime when the
> > inode metadata changes, regardless of what the coment in
> > /usr/src/sys/h/ino.h might say.
> >
> > More interestingly, this comment seems to continue in newer versions
> > up to 3BSD, and then the comments becomes "change time" in BSD 4.2,
> > probably coincident with the File System Implementation?
> >
> > The best we can guess is that the change from "creation time" to
> > "inode change time" happened sometime between 1979 and 1982.  Does
> > anyone who was around can give the story about how and when this
> > happened?
> >
> >                                         - Ted
> >

--
---
Larry McVoy           Retired to fishing          http://www.mcvoy.com/lm/boat