Tuesday, September 11, 2018

File Timestamps in Linux: atime, mtime, ctime Explained

https://linuxhandbook.com/file-timestamps

Let’s see what are the various kinds of file timestamps in Linux, how to see the timestamps for a file and how to change the timestamps.
In Linux, every file has some timestamps that provide some crucial analytics about when the file or its attributes were modified or changed. Let’s see these timestamps in detail.

What are Linux timestamps?

File timestamps in Linux
Any file in Linux has typically these three timestamps:
  • atime – access time
  • mtime – modify time
  • ctime – change time

atime

atime stands for access time. This timestamp tells you when was the last time the file was accessed. By access, it means if you used cat, vim, less or some other tool to read or display the content of the file.

mtime

mtime stands for modify time. This timestamp tells you when was the last time the file was modified. By modify, it means if the contents of a file were changed by editing the file.

ctime

ctime stands for status change time. This timestamp tells you when was the last time the property and metadata of the file were changed. The metadata includes file permissions, ownership, name and location of the file.

How to see the timestamps of a file?

You can use the stat command to see all the timestamps of a file. Using stat command is very simple. You just need to provide the filename with it.
stat 
The output will be like this:
stat abhi.txt 
  File: abhi.txt
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: 10305h/66309d	Inode: 11936465    Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/abhishek)   Gid: ( 1000/abhishek)
Access: 2018-08-30 12:19:54.262153704 +0530
Modify: 2018-08-30 12:19:54.262153704 +0530
Change: 2018-08-30 12:19:54.262153704 +0530
 Birth: -
You can see all three timestamps (access, modify and change) time in the above output. All three timestamps are the same here because I just created this empty file with touch command.
Now let’s modify these timestamps.
If I use the less command to read the file, it will change only the access time because the content and metadata of the file remain the same.
$ less abhi.txt 
$ stat abhi.txt 
  File: abhi.txt
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: 10305h/66309d	Inode: 11936465    Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/abhishek)   Gid: ( 1000/abhishek)
Access: 2018-08-30 12:25:13.794471295 +0530
Modify: 2018-08-30 12:19:54.262153704 +0530
Change: 2018-08-30 12:19:54.262153704 +0530
 Birth: -
Now let’s change the modify time. I’ll use cat command to add new text to this file. This will prevent the change in access time.
$ cat >> abhi.txt 
demo text
^C
$ stat abhi.txt 
  File: abhi.txt
  Size: 10        	Blocks: 8          IO Block: 4096   regular file
Device: 10305h/66309d	Inode: 11936465    Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/abhishek)   Gid: ( 1000/abhishek)
Access: 2018-08-30 12:25:13.794471295 +0530
Modify: 2018-08-30 12:32:34.751320967 +0530
Change: 2018-08-30 12:32:34.751320967 +0530
 Birth: -
Did you notice something weird? You modified the file and expected the mtime to be changed but it also changed the ctime.
Remember, ctime is always changed with mtime. It’s because while mtime is under the control of user, ctime is controlled by the system. It represents when the last time the data blocks or metadata of a file was changed. If you modify the file, the data blocks change and thus ctime is changed.
You can change ctime alone by modifying file permissions using chmod or chgrp commands but you cannot modify mtime without modifying ctime.
You can also not change ctime in the past by normal means. It is a kind of security feature because it tells you the last time the file was changed. Even if someone modifies mtime and set it in the past for malicious purposes, ctime will indicate the actual time when the mtime was changed.
Remember: ctime will always be modified by mtime change.

What are the usage of file timestamps?

It helps a lot in analyzing. There could be a number of situations where you need to refer to the timestamps of a file. For example, you can see if a file was modified recently or not when it was supposed to be modified.
One of my favorite use was to locate log files of an application with mtime. Run the application and just go into the parent directory of the application and search for the files that have been modified in last few minutes.
I already showed you above that it can also help in analyzing if someone accessed the files or modified it maliciously. Timestamps play an important role in such situations.

How to know when a file was originally created?

Did you notice the last line of stat command output? It says ‘Birth’. You may guess that this represents the timestmap when the file was ‘born’ (or created to be more precise).
Actually, there is one more timestamp called creation time (cr). Not all filesystems support this timestamp. Ext4 is one of the popular Linux filesystems and though it supports the creation timestamp, the stat command at present is not able to show it. Maybe the future versions of stat command will show the creation timestamp in the Birth section.

No comments:

Post a Comment