[forwarded to dev, where the discussion belongs] ----- Original Message ----- From: "Martin Kraemer" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Tuesday, August 21, 2001 9:43 AM Subject: Re: file attribute questions
> On Tue, Aug 21, 2001 at 08:36:33AM +0200, Kraemer, Martin wrote: > > Luckily there are VERY few programs which rely on the correct implementation > > of the semantics of the ctime field. > > I failed to give an example for a program which relies on the unix > semantics for ctime. > > Let's first recall that the *system* sets the value of the ctime field > whenever *the system* makes a change to the inode. There is no function > to manipulate the st_ctime value and set it to arbitrary values > (unless you consider changing the hardware clock to arbitrary values > an "interface"). > > Based on that fact, the value of the ctime field cannot be controlled > by a non-super-user, and can be used to monitor changes to a file, > for example: > - change in number of hard links to the file > - change in size, or inode allocations, > - but also, changing of the mtime or atime stamps (e.g. to "hide" > the malevolent modification of a /usr/sbin/sshd trojan) > > And it is this functionality which is used for example by the > well known tripwire program to monitor the integrity of important > system files. A ctime change on a system file CAN point to trouble. > > Martin > -- > <[EMAIL PROTECTED]> | Fujitsu Siemens > <[EMAIL PROTECTED]> | 81730 Munich, Germany >
