Stat command in Linux can be used to display a file or a file system status.
I came across an issue in RHEL4 where a file’s ‘Change time’ is far ahead than the ‘Modification time’ without a change in uid, gid and mode.
# stat /etc/php.ini File: `/etc/php.ini' Size: 45809 Blocks: 96 IO Block: 4096 regular file Device: 6801h/26625d Inode: 704615 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2014-06-25 13:22:15.000000000 -0400 Modify: 2012-10-01 13:21:41.000000000 -0400 Change: 2014-06-01 20:06:35.000000000 -0400
To explain why this can be considered unusual, I will start by explaining the time values associated with a file:
- Access (atime) – Time the file was last accessed. This involves syscalls like open(). For example, running cat command on the file would update this.
- Modify (mtime) – Time the file content was last modified. For example, if a file is edited and some content is added this value would change.
- Change (ctime) – When any of the inode attributes in the file changes this value changes. Stat command would notice change if inode attributes except access time is changed. Following are the rest of the inode attributes – mode, uid, gid, size and modification time.
So ctime would get updated with mtime and file size would get updated with a mtime. So if a file’s ctime is changed from mtime without a change in mode, uid, and gid, the behaviour can be considered unexpected.
On checking the stat upstream (coreutils) source, I came across a known issue. Running chmod on a file without changing the file permissions can alter inode and cause the same behaviour. It is documented in TODO of coreutils upstream source.
Modify chmod so that it does not change an inode's st_ctime when the selected operation would have no other effect. First suggested by Hans Ecke in https://thread.gmane.org/gmane.comp.gnu.coreutils.bugs/2920 Discussed more recently on https://bugs.debian.org/497514.
This behaviour is not fixed in upstream.
Now we can assume that a process or user ran a chmod command which actually did not changed the attributes of php.ini. This would change ctime and not other attributes.
I can reproduce the same behaviour in my Fedora system as well.
For example,
# stat test File: ‘test’ Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: 803h/2051d Inode: 397606 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2014-07-14 16:26:10.996128678 +0530 Modify: 2014-07-14 16:26:10.996128678 +0530 Change: 2014-07-14 16:26:10.996128678 +0530 Birth: - # chmod 644 test # stat test File: ‘test’ Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: 803h/2051d Inode: 397606 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2014-07-14 16:26:10.996128678 +0530 Modify: 2014-07-14 16:26:10.996128678 +0530 Change: 2014-07-14 16:26:41.444377623 +0530 Birth: -
But this is just an assumption. For getting a conclusive answer on what is causing this behaviour in this specific system, we would need to find what process is causing this.
auditd in linux can be used for watching a file and capturing audit records on that file to /var/log/audit/.
To watch the file, I edited /etc/audit.rules and added following.
-w /etc/php.ini
Then restarted auditd,
# service auditd start Starting auditd: [ OK ] # chkconfig auditd on
Running a cat command on the php.ini file would give following logs.
type=SYSCALL msg=audit(1404006436.500:12): arch=40000003 syscall=5 success=yes exit=3 a0=bff88c10 a1=8000 a2=0 a3=8000 items=1 pid=19905 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cat" exe="/bin/cat" type=FS_WATCH msg=audit(1404006436.500:12): watch_inode=704615 watch="php.ini" filterkey= perm=0 perm_mask=4 type=FS_INODE msg=audit(1404006436.500:12): inode=704615 inode_uid=0 inode_gid=0 inode_dev=68:01 inode_rdev=00:00 type=CWD msg=audit(1404006436.500:12): cwd="/root" type=PATH msg=audit(1404006436.500:12): name="/etc/php.ini" flags=101 inode=704615 dev=68:01 mode=0100644 ouid=0 ogid=0 rdev=00:00
ausearch command is available for searching through the audit logs. Following command would display the audit entries from 6th July related to /etc/php.ini file.
# ausearch -ts 7/6/2014 -f /etc/php.ini | less
When I noticed the ctime changed again, I ran ausearch. I saw multiple events on the file. Most of the access are from syscall=5, which is the open system call.
Following entries seem to be pointing to the culprit. You can see that the system call is 271.
type=SYSCALL msg=audit(1404691594.175:37405): arch=40000003 syscall=271 success=yes exit=0 a0=bff 09b00 a1=bff07b00 a2=7beff4 a3=bff0a1a0 items=1 pid=9830 auid=4294967295 uid=0 gid=0 euid=0 suid= 0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bpbkar" exe="/usr/openv/netbackup/bin/bpbkar" type=FS_WATCH msg=audit(1404691594.175:37405): watch_inode=704615 watch="php.ini" filterkey= perm =0 perm_mask=2 type=FS_INODE msg=audit(1404691594.175:37405): inode=704615 inode_uid=0 inode_gid=0 inode_dev=68: 01 inode_rdev=00:00 type=FS_WATCH msg=audit(1404691594.175:37405): watch_inode=704615 watch="php.ini" filterkey= perm =0 perm_mask=2 type=FS_INODE msg=audit(1404691594.175:37405): inode=704615 inode_uid=0 inode_gid=0 inode_dev=68: 01 inode_rdev=00:00 type=CWD msg=audit(1404691594.175:37405): cwd="/etc" type=PATH msg=audit(1404691594.175:37405): name="/etc/php.ini" flags=1 inode=704615 dev=68:01 mod e=0100644 ouid=0 ogid=0 rdev=00:00
Using ausearch you can search based on system calls also. You can see that there is only one record with system call number 271. Another advantage of ausearch is that it would convert the time stamps to human readable form.
# ausearch -ts 7/6/2014 -sc 271 -f /etc/php.ini
You can see time in the start of each block of search outputs.
---- time->Sun Jul 6 20:06:34 2014 type=PATH msg=audit(1404691594.175:37405): name="/etc/php.ini" flags=1 inode=704615 dev=68:01 mod e=0100644 ouid=0 ogid=0 rdev=00:00 type=CWD msg=audit(1404691594.175:37405): cwd="/etc" type=FS_INODE msg=audit(1404691594.175:37405): inode=704615 inode_uid=0 inode_gid=0 inode_dev=68: 01 inode_rdev=00:00 type=FS_WATCH msg=audit(1404691594.175:37405): watch_inode=704615 watch="php.ini" filterkey= perm =0 perm_mask=2 type=FS_INODE msg=audit(1404691594.175:37405): inode=704615 inode_uid=0 inode_gid=0 inode_dev=68: 01 inode_rdev=00:00 type=FS_WATCH msg=audit(1404691594.175:37405): watch_inode=704615 watch="php.ini" filterkey= perm =0 perm_mask=2 type=SYSCALL msg=audit(1404691594.175:37405): arch=40000003 syscall=271 success=yes exit=0 a0=bff 09b00 a1=bff07b00 a2=7beff4 a3=bff0a1a0 items=1 pid=9830 auid=4294967295 uid=0 gid=0 euid=0 suid= 0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bpbkar" exe="/usr/openv/netbackup/bin/bpbkar"
The time stamps matches.
# stat /etc/php.ini File: `/etc/php.ini' Size: 45809 Blocks: 96 IO Block: 4096 regular file Device: 6801h/26625d Inode: 704615 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2014-07-07 01:06:47.000000000 -0400 Modify: 2012-10-01 13:21:41.000000000 -0400 Change: 2014-07-06 20:06:34.000000000 -0400
From RHEL4 kernel source code we can see that syscall 271 is utimes.
# cat ./include/asm-i386/unistd.h |grep 271 #define __NR_utimes 271
utimes is a legacy syscall that can change a file’s last access and modification times. utimes is later deprecated and replaced with utime from RHEL5.
netbackup process bpbkar is doing a utimes syscall on the file, possibly modifying the mtime to the already existing time resulting in the change.
This example shows us the power of Linux Auditing System. Auditing is a kernel feature which provides interface to daemons like auidtd to capture events related to system and user space processes and log it.
Share this
You May Also Like
These Related Stories
No Comments Yet
Let us know what you think