Forbid user set file mtime in the past

Artem Kuchin artem at
Sat Nov 21 12:34:19 UTC 2015

20.11.2015 23:05, kpneal at пишет:
> On Fri, Nov 20, 2015 at 11:38:54AM -0600, Valeri Galtsev wrote:
>> On Fri, November 20, 2015 11:00 am, Artem Kuchin wrote:
>>> Hello!
>>> Is there any way to forbid users to set file modification time in the
>>> past?
>>> I am asking because many  php viruses somehow set modification time in
>>> the past
>>> and just checking what php files were created/modified for the last n
>>> hours just does
>>> not work at all.
>> I know, this is not an answer to you question. Still, relying on anything
>> on compromised system for forensics is counter productive. Much better
> What if the compromised system was a jail?
> Oh, and you can use the mtree command to get an inventory of a filesystem.
> The mtree command can also do diffs of inventories run at different times.
> Included in the inventory optionally are md5 and other hashes. So you can
> run that to detect changed files.
> Of course, if the breech was bad enough then you won't be able to trust
> anything on the system. Jails are your friend.

Corect. IT IS in jail amd it is shared hosting where about 100 users 
access system.
If someone gets PHP virus it is only limited to that user and in any 
case is constrained
within that jail.
It is USF on HDD (not SSD), so computing any checksum  on 10s of 
millions files will
be either very slow or will consume all HDD iops.

As i understand there is not such user permission, so answer to my 
question is "no way
to do it". I will look for other ways.


More information about the freebsd-questions mailing list