* file changes without updating mtime
@ 2006-06-27 18:10 Erik Paulson
2006-06-28 13:38 ` Pádraig Brady
2006-06-29 11:11 ` Pavel Machek
0 siblings, 2 replies; 3+ messages in thread
From: Erik Paulson @ 2006-06-27 18:10 UTC (permalink / raw)
To: linux-kernel
Hello -
I'm seeing file content change without a change to the mtime for that
file, and I'm trying to understand why.
The filesystem is ext3, on a local IDE drive. It's a Centos 4.3 machine,
with kernel version: 2.6.9-34.0.1.ELsmp
A shell script that in a loop prints the date, stats the file, and then runs
'md5sum' gave me this output:
Fri Jun 23 04:03:24 CDT 2006
File: `/var/lib/rpm/__db.001'
Size: 16384 Blocks: 32 IO Block: 4096 regular file
Device: 303h/771d Inode: 6291609 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2006-06-23 04:00:24.669054993 -0500
Modify: 2006-06-18 21:42:43.685708137 -0500
Change: 2006-06-18 21:42:43.685708137 -0500
37327d016d9741b0d74e4c9bd14d2956 /var/lib/rpm/__db.001
Fri Jun 23 04:06:24 CDT 2006
File: `/var/lib/rpm/__db.001'
Size: 16384 Blocks: 32 IO Block: 4096 regular file
Device: 303h/771d Inode: 6291609 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2006-06-23 04:04:51.898420485 -0500
Modify: 2006-06-18 21:42:43.685708137 -0500
Change: 2006-06-18 21:42:43.685708137 -0500
b2b25d452c94bb376f172e1789e8ab6e /var/lib/rpm/__db.001
So something else read the file at 4:04:51, and apparently changed it.
I know that mtime can be reset, and that may very well be what's going on.
If that's the case, is there any other way I can from the file metadata
that it may have changed, short of reading it and checksumming? There are
other files that appear to be changing without updating their mtimes - a
number of the kde screensavers, which I think might be the prelinker.
My end goal is to be able to determine when a file has changed without
reading the contents, because I want to read the contents and compare them
to a previous version. If the content I read is not the same as the content
I read last time, I want to know if it's intentional or if there has been
some file corruption. (I am not worried about malicious users changing files
and hiding their tracks). The way I had hoped to go was to use the mtime
and filesize, but that appears not to be enough.
Thanks!
-Erik
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: file changes without updating mtime
2006-06-27 18:10 file changes without updating mtime Erik Paulson
@ 2006-06-28 13:38 ` Pádraig Brady
2006-06-29 11:11 ` Pavel Machek
1 sibling, 0 replies; 3+ messages in thread
From: Pádraig Brady @ 2006-06-28 13:38 UTC (permalink / raw)
To: Erik Paulson; +Cc: linux-kernel
Perhaps you could create a filesystem wrapper module
or Linux Security module or equivalent to intercept write/truncate etc.
to invalidate an extended attribute containing a checksum.
This extended attribute could be updated from userspace periodically,
and your userspace program would compare those checksums.
That would be generally useful. For example rsync could
use it to very quickly determine if it needed to sync file contents.
See also http://lkml.org/lkml/2006/5/17/138
Note also files mounted loopback and modified don't
have their mtime updated either. Perhaps the patch
referenced above addresses that?
Pádraig.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: file changes without updating mtime
2006-06-27 18:10 file changes without updating mtime Erik Paulson
2006-06-28 13:38 ` Pádraig Brady
@ 2006-06-29 11:11 ` Pavel Machek
1 sibling, 0 replies; 3+ messages in thread
From: Pavel Machek @ 2006-06-29 11:11 UTC (permalink / raw)
To: Erik Paulson; +Cc: linux-kernel
On Tue 2006-06-27 13:10:10, Erik Paulson wrote:
>
> Hello -
>
> I'm seeing file content change without a change to the mtime for that
> file, and I'm trying to understand why.
>
> The filesystem is ext3, on a local IDE drive. It's a Centos 4.3 machine,
> with kernel version: 2.6.9-34.0.1.ELsmp
>
> A shell script that in a loop prints the date, stats the file, and then runs
> 'md5sum' gave me this output:
>
> Fri Jun 23 04:03:24 CDT 2006
> File: `/var/lib/rpm/__db.001'
> Size: 16384 Blocks: 32 IO Block: 4096 regular file
> Device: 303h/771d Inode: 6291609 Links: 1
> Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
> Access: 2006-06-23 04:00:24.669054993 -0500
> Modify: 2006-06-18 21:42:43.685708137 -0500
> Change: 2006-06-18 21:42:43.685708137 -0500
> 37327d016d9741b0d74e4c9bd14d2956 /var/lib/rpm/__db.001
>
>
> Fri Jun 23 04:06:24 CDT 2006
> File: `/var/lib/rpm/__db.001'
> Size: 16384 Blocks: 32 IO Block: 4096 regular file
> Device: 303h/771d Inode: 6291609 Links: 1
> Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
> Access: 2006-06-23 04:04:51.898420485 -0500
> Modify: 2006-06-18 21:42:43.685708137 -0500
> Change: 2006-06-18 21:42:43.685708137 -0500
> b2b25d452c94bb376f172e1789e8ab6e /var/lib/rpm/__db.001
>
>
> So something else read the file at 4:04:51, and apparently changed
> it.
I believe it is / was possible to change file using mmap without
affecting mtime. It might have been fixed in the meantime.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-06-29 11:36 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-06-27 18:10 file changes without updating mtime Erik Paulson
2006-06-28 13:38 ` Pádraig Brady
2006-06-29 11:11 ` Pavel Machek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox