Forbid user set file mtime in the past

Michael B. Eichorn ike at
Fri Nov 20 21:09:16 UTC 2015

On Fri, 2015-11-20 at 20:00 +0300, Artem Kuchin wrote:
> Hello!
> Is there any way to forbid users to set file modification time in the
> past?
> I am asking because many  php viruses somehow set modification time
> in 
> the past
> and just checking what php files were created/modified for the last n
> hours just does
> not work at all.

No idea as to how to forbid it, but I bet you could rig something with
zfs and snapshots to detect it.

snapshot 1
sleep 1h
snapshot 2
compare the snapshots for files that changed and then check if have an
mtime before the time snapshot 1 was created

If you wanted to go more in depth, since zfs internally keeps track of
when the blocks were born rather than the files were modified...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5729 bytes
Desc: not available
URL: <>

More information about the freebsd-questions mailing list