As you know, Unix filesystems store a number of timestamps for each file. This means that you can use these timestamps to find out when any file or directory was last accessed (read from or written to), changed (file access permissions were changed) or modified (written to).
File and directory timestamps in Unix
Three times tracked for each file in Unix are these:
- access time – atime
- change time – ctime
- modify time – mtime
INTERESTING: there's no file creation timestamp kept in most filesystems – meaning you can't run a command like "show me all files created on certain date". This said, it's usually possible to deduce the same from ctime and mtime (if they match – this probably means that's when the file was created).
atime – Last Access Time
Access time shows the last time the data from a file or directory was accessed – read by one of the Unix processes directly or through commands and scripts.
Due to its definition, atime attribute must be updated – meaning written to a disk – every time a Unix file is accessed, even if it was just a read operation. Under extreme loads, atime requirement could severely impact the filesystem performance, especfially with hard disks (HDDs) compared to Solid State Disks (SSDs).
Modern Unix and Unix like operating systems have special mount options to optimise atime usage (or disable it completely).
For instance, in Linux kernel the following atime optimisations are supported when mounting filesystem:
- strictatime – always update atime (no longer the default!)
- relatime ("relative atime") – selective atime updates, usually if previous atime is an older timestamp than ctime and mtime (see below)
- nodiratime – no access time updates for directories (files still get atime updates)
- noatime – no access time updates for anything
ctime – Last Change Time
ctime shows when your file or directory got metadata changes – typically that's file ownership (username and/or group) and access permissions. ctime will also get updated if the file contents got changed.
mtime – Last Modification Time
Last modification time shows time of the last change to file's contents. It does not change with owner or permission changes, and is therefore used for tracking the actual changes to data of the file itself.
INTERESTING: When a new file or directory is created, usually all three times – atime, ctime and mtime – are configured to capture the current time.
How to Use atime, ctime and mtime
Lots of common system administration tasks can be helped, if not completed, using knowledge of atime, ctime and mtime attributed:
- find files updated on a certain date
- confirm when was the last time a configuration file was changed
- find files modified in the last hour or day – very useful for finding most recently updated log files
- verify if a certain file was accessed and when – useful when debugging a script
- quickly get the list of really old files (not updated for longer than 30 days or something like that)
- confirm when the directory was updated – can suggest that temporary files were created and quickly deleted, so you don't see the files but recognise evidence when they were still in the directory
- review a list of files to confirm when they had ownership (user/group) data updated and if this time is different from file modifications – could be useful when reviewing security breach on your Unix system
Find atime, ctime and mtime with ls
The simplest way to confirm the times associated with a file is to use ls command. Timestamps are shown when using the long-format output of ls command, ls -l:
ubuntu# ls -l /tmp/file1 -rw-r--r-- 1 greys root 9 2008-04-05 07:10 /tmp/file1
This is the default output of
** ls -l**, which shows you the time of the last file modification – mtime. In our example, file /tmp/file1 was last changed around 7:10am. If we want to see the last access time for this file, atime – you need to use -lu options for ls. The output will probably show some later time:
ubuntu# ls -lu /tmp/file1 -rw-r--r-- 1 greys root 9 2008-04-05 07:27 /tmp/file1
In the example, it's 7:27am. Lastly,
ls -lc will show you the last time our file was changed, ctime:
ubuntu# ls -lc /tmp/file1 -rw-r--r-- 1 greys root 9 2008-04-05 07:31 /tmp/file1
To show you how this works, I'll change the ownership of the file and then run the same 3 ls commands to show you that only the
ctime had been updated. I run the date command just before doing anything else so that you can compare the times:
ubuntu# date Sat Apr 5 07:35:16 IST 2008 ubuntu# chown root /tmp/file1 ubuntu# ls -lc /tmp/file1 -rw-r--r-- 1 root root 9 2008-04-05 07:35 /tmp/file1 ubuntu# ls -lu /tmp/file1 -rw-r--r-- 1 root root 9 2008-04-05 07:27 /tmp/file1 ubuntu# ls -l /tmp/file1 -rw-r--r-- 1 root root 9 2008-04-05 07:10 /tmp/file1
Show atime, ctime and mtime with stat command
In Linux distributions, you will probably find a stat command, which can be used to show all of the times in a more convenient way, and among plenty of other useful information about your file:
ubuntu# stat /tmp/file1 File: `/tmp/file1' Size: 9 Blocks: 8 IO Block: 4096 regular file Device: 811h/2065d Inode: 179420 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2008-04-05 07:27:51.000000000 +0100 Modify: 2008-04-05 07:10:14.000000000 +0100 Change: 2008-04-05 07:35:22.000000000 +0100
