On Fri, 21 Jun 2002, Jesse Pollard wrote:
> Of course mtime can be faked - just look at touch - it modifies access
> time (-a) and mtime (-m) dates associated with the file. The only way to
> stop that would be to put a cookie into the inode that gets cleared on
> any write to the file data blocks and where ctime or mtime fields in the
> inode are modified.
>
> And if you look at tar - it creates files with any
> creation/access/modification date as specified in the tarfile.
Yeah... actually, what I meant was ctime... so I'll fix that right now.
You can't modify ctime without hacking the fs directly or doing so through
the kernel... which, if an attacker someone is root, then they could
probably do, but it'll keep your average IRCing script kiddie at bay...
they don't even know what a ctime is.
Later,
Paul
--------------------------------------------------------------------
J. Paul Reed preedat_private || web.sigkill.com/preed
Nothing satisfies more than a post-coital omelet of your own design.
-- Will Farrell, Saturday Night Live, 5/18/02
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 14:31:28 PDT