From linux-xfs Mon Feb 02 23:51:46 2004 From: Chris Wedgwood Date: Mon, 02 Feb 2004 23:51:46 +0000 To: linux-xfs Subject: [OT] noatime Message-Id: <20040202235146.GC493 () dingdong ! cryptoapps ! com> X-MARC-Message: https://marc.info/?l=linux-xfs&m=107576597515520 On Mon, Feb 02, 2004 at 02:55:34PM -0500, Greg Freemyer wrote: > "Rob created a flat file export of the Customer Database on Dec 15, > 03. He accessed this flat file at 2pm, Feb 2, 04. This is 2 hours > after he was notified that he was being fired, so it is possible > that he was making an improper copy to use outside the company." I'm amazed that stands up in court for a regular filesystem on a regular OS[1]. Lots of things mess with atime (some backup software for example). If you have permissions on the file you can trivially reset it by hand if you wanted: cw@pain:~$ ls -l --time=atime secret-stuff.doc -rw-r--r-- 2 cw cw 144159 Aug 6 05:33 secret-stuff.doc cw@pain:~$ touch -r secret-stuff.doc .timeref cw@pain:~$ ls -l --time=atime .timeref -rw-r--r-- 1 cw cw 0 Aug 6 05:33 .timeref cw@pain:~$ cp secret-stuff.doc jokes.doc cw@pain:~$ ls -l --time=atime secret-stuff.doc -rw-r--r-- 2 cw cw 144159 Feb 2 15:42 secret-stuff.doc cw@pain:~$ touch -r .timeref -a secret-stuff.doc cw@pain:~$ ls -l --time=atime secret-stuff.doc -rw-r--r-- 2 cw cw 144159 Aug 6 05:33 secret-stuff.doc As a practical joke I once wrote a daemon that scanned proxy logs and downloaded random mpegs into various people's home directories.. obviously this frobbed the atime and mtime to try and keep up the illusion. > Obviously the above is not rock-solid evidence of IP theft, but it > is far stronger than if the access time was not available. I would argue it's not very strong at all. --cw