Date: Mon, 28 Aug 2017 09:21:35 +0200 From: Daniel Roethlisberger <daniel@roe.ch> To: freebsd-hackers@freebsd.org Subject: Re: [PATCH] O_NOATIME support for open(2) Message-ID: <20170828072135.GA40198@schoggimuss.roe.ch> In-Reply-To: <CALXu0UdK5uR4caUORYGSCeP0pvGVxG6gLDK=vSL8pFGyt7uKDg@mail.gmail.com> References: <20170826161827.GA21456@schoggimuss.roe.ch> <CALXu0UdK5uR4caUORYGSCeP0pvGVxG6gLDK=vSL8pFGyt7uKDg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Cedric Blancher <cedric.blancher@gmail.com> 2017-08-28: > You know, this was long discussed in a Solaris rfe, Can you provide a pointer to the discussion you are refering to? > and it was found that O_NOATIME has serious security > implications and can be used to circumvent atime-based > monitoring. So basically, you open a security hole with this. Can you elaborate on what exactly you mean by "atime-based monitoring"? Are you thinking about DFIR? How would the "serious security implications" differ from those of utimes(2)? Note that the use of O_NOATIME is restricted to the file owner and root. My take would be that atimes should not be confused with auditing. Daniel -- Daniel Roethlisberger http://daniel.roe.ch/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170828072135.GA40198>