Forbid user set file mtime in the past
Michael B. Eichorn
ike at michaeleichorn.com
Fri Nov 20 21:09:16 UTC 2015
On Fri, 2015-11-20 at 20:00 +0300, Artem Kuchin wrote:
> Hello!
>
>
> Is there any way to forbid users to set file modification time in the
> past?
>
> I am asking because many php viruses somehow set modification time
> in
> the past
> and just checking what php files were created/modified for the last n
> hours just does
> not work at all.
>
>
No idea as to how to forbid it, but I bet you could rig something with
zfs and snapshots to detect it.
peudocode:
snapshot 1
sleep 1h
snapshot 2
compare the snapshots for files that changed and then check if have an
mtime before the time snapshot 1 was created
If you wanted to go more in depth, since zfs internally keeps track of
when the blocks were born rather than the files were modified...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5729 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20151120/0fd5a029/attachment.bin>
More information about the freebsd-questions
mailing list