From owner-freebsd-questions@freebsd.org Sat Nov 21 12:34:19 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6A6EBA32BD5 for ; Sat, 21 Nov 2015 12:34:19 +0000 (UTC) (envelope-from artem@artem.ru) Received: from fallback4.mail.ru (fallback4.mail.ru [94.100.181.169]) by mx1.freebsd.org (Postfix) with ESMTP id 12D491A2C for ; Sat, 21 Nov 2015 12:34:18 +0000 (UTC) (envelope-from artem@artem.ru) Received: from smtp48.i.mail.ru (smtp48.i.mail.ru [94.100.177.108]) by fallback4.mail.ru (mPOP.Fallback_MX) with ESMTP id A9A41CC6BF8 for ; Sat, 21 Nov 2015 15:33:06 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ru; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:Cc:References:To:Subject; bh=VFpglvtrhdrnR6qWshfndOcxcAXkPIvFvahjksB/6mU=; b=lEe4+xA0avQ6y43QymrZn59NNYsNnmnsW3Ba9vyuARpiI/4FG+H3UnRGzJTjM9nlRCD6r/vrmy2t/FluuxTYhic6ZvP0wad05Jdi9xrtVEW5NOSSDzHDT/yKu2D0OCoEvE5+CbB4DlM1Fz6kGOqDxaJXXroZkWCLpK6/xCw7bbY=; Received: from [109.188.127.40] (port=9138 helo=[192.168.0.12]) by smtp48.i.mail.ru with esmtpa (envelope-from ) id 1a07Lc-0001WV-Et; Sat, 21 Nov 2015 15:32:57 +0300 Subject: Re: Forbid user set file mtime in the past To: kpneal@pobox.com, Valeri Galtsev References: <564F51BD.4080103@artem.ru> <19577.128.135.52.6.1448041134.squirrel@cosmo.uchicago.edu> <20151120200502.GA33068@neutralgood.org> Cc: freebsd-questions@freebsd.org From: Artem Kuchin Message-ID: <56506474.3040105@artem.ru> Date: Sat, 21 Nov 2015 15:32:52 +0300 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <20151120200502.GA33068@neutralgood.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Mras: Ok X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Nov 2015 12:34:19 -0000 20.11.2015 23:05, kpneal@pobox.com пишет: > On Fri, Nov 20, 2015 at 11:38:54AM -0600, Valeri Galtsev wrote: >> On Fri, November 20, 2015 11:00 am, Artem Kuchin wrote: >>> Hello! >>> >>> >>> Is there any way to forbid users to set file modification time in the >>> past? >>> >>> I am asking because many php viruses somehow set modification time in >>> the past >>> and just checking what php files were created/modified for the last n >>> hours just does >>> not work at all. >>> >> I know, this is not an answer to you question. Still, relying on anything >> on compromised system for forensics is counter productive. Much better > What if the compromised system was a jail? > > Oh, and you can use the mtree command to get an inventory of a filesystem. > The mtree command can also do diffs of inventories run at different times. > Included in the inventory optionally are md5 and other hashes. So you can > run that to detect changed files. > > Of course, if the breech was bad enough then you won't be able to trust > anything on the system. Jails are your friend. Corect. IT IS in jail amd it is shared hosting where about 100 users access system. If someone gets PHP virus it is only limited to that user and in any case is constrained within that jail. It is USF on HDD (not SSD), so computing any checksum on 10s of millions files will be either very slow or will consume all HDD iops. As i understand there is not such user permission, so answer to my question is "no way to do it". I will look for other ways. Artem