Re: [PATCH] O_NOATIME support

[Valdis . Kletnieks]

On Mon, 14 Jun 2004 18:12:59 -0300, Alexandre Oliva said:

> IMHO it's a bad idea to enable the owner of the file to avoid changing
> the atime of their files.  I've heard more than once about the atime
> bit being used to as proof that a user had actually seen the contents
> of a file although s/he claimed s/he hadn't.  If it was root-only,
> atime could still be used for the same purpose, and would enable
> backups with tools that accessed the filesystem through the FS layer,
> as opposed to though the block layer, to keep such proof unchanged.

Of course, such "proof" is broken.  Consider that something so simple as a
'find . | xargs wc -l' will break that "proof" - as will any file manager that
looks at magic (anything from 'nautilus' to 'file' - if it uses /etc/magic or /
usr/share/file/magic or wherever your distro keeps it, you have a problem).

If you don't have O_NOATIME, it doesn't strengthen the "proof" any, because any
tool can look at the file and then call utime() to clean up behind itself.  Of
course, at that point the kernel still has to write that dirty inode back.....

If you want *proof* a given userid did/didn't open a file, do up a proper
set of audit trail hooks (keep in mind it will likely be even more intrusive
than the LSM hooks).

And trying to prove a connection from "file opened" to "contents displayed to
user" is challenging enough without a *proper* audit trail (one that can cross-correlate
open/read/write on the input and output file descriptors).  Figuring out
how to get from there to "user saw it" will likely require major work
(and, in fact, absent an auditable event generated by the user that proves
they read the information, almost impossible).

cd /usr/src/linux-2.6.6; find . -name '*.[ch]' | xargs cat

Let me know if you actually *see* anything. My laptop makes it through the first 200
*files* (comprising some 3168K) in 3.45 seconds or so.

Attachment: pgp00000.pgp
Description: PGP signature