As you know, Unix filesystems store a number of timestamps for each file. This means that you can use these timestamps to find out when any file or directory was last accessed (read from or written to), changed (file access permissions were changed) or modified (written to).
Three times tracked for each file in Unix are these:
INTERESTING: there’s no file creation timestamp kept in most filesystems – meaning you can’t run a command like “show me all files created on certain date”. This said, it’s usually possible to deduce the same from ctime and mtime (if they match – this probably means that’s when the file was created).
Access time shows the last time the data from a file or directory was accessed – read by one of the Unix processes directly or through commands and scripts.
Due to its definition, atime attribute must be updated – meaning written to a disk – every time a Unix file is accessed, even if it was just a read operation. Under extreme loads, atime requirement could severely impact the filesystem performance, especfially with hard disks (HDDs) compared to Solid State Disks (SSDs).
Modern Unix and Unix like operating systems have special mount options to optimise atime usage (or disable it completely).
For instance, in Linux kernel the following atime optimisations are supported when mounting filesystem:
ctime shows when your file or directory got metadata changes – typically that’s file ownership (username and/or group) and access permissions. ctime will also get updated if the file contents got changed.
Last modification time shows time of the last change to file’s contents. It does not change with owner or permission changes, and is therefore used for tracking the actual changes to data of the file itself.
INTERESTING: When a new file or directory is created, usually all three times – atime, ctime and mtime – are configured to capture the current time.
Lots of common system administration tasks can be helped, if not completed, using knowledge of atime, ctime and mtime attributed:
The simplest way to confirm the times associated with a file is to use ls command. Timestamps are shown when using the long-format output of ls command, ls -l:
This is the default output of
ls -l, which shows you the time of the last file modification – mtime. In our example, file /tmp/file1 was last changed around 7:10am. If we want to see the last access time for this file, atime – you need to use -lu options for ls. The output will probably show some later time:
In the example, it’s 7:27am.
Lastly, ls -lc will show you the last time our file was changed, ctime:
To show you how this works, I’ll change the ownership of the file and then run the same 3 ls commands to show you that only the ctime had been updated. I run the date command just before doing anything else so that you can compare the times:
In Linux distributions, you will probably find a stat command, which can be used to show all of the times in a more convenient way, and among plenty of other useful information about your file: