atime, ctime and mtime in Unix filesystems

As you know, Unix filesystems store a number of timestamps for each file. This means that you can use these timestamps to find out when any file or directory was last accessed (read from or written to), changed (file access permissions were changed) or modified (written to).

File and directory timestamps in Unix

Three times tracked for each file in Unix are these:

• access time – atime
• change time – ctime
• modify time – mtime

INTERESTING: there’s no file creation timestamp kept in most filesystems – meaning you can’t run a command like “show me all files created on certain date”. This said, it’s usually possible to deduce the same from ctime and mtime (if they match – this probably means that’s when the file was created).

atime – Last Access Time

Access time shows the last time the data from a file or directory was accessed – read by one of the Unix processes directly or through commands and scripts.

Due to its definition, atime attribute must be updated – meaning written to a disk – every time a Unix file is accessed, even if it was just a read operation. Under extreme loads, atime requirement could severely impact the filesystem performance, especfially with hard disks (HDDs) compared to Solid State Disks (SSDs).

Modern Unix and Unix like operating systems have special mount options to optimise atime usage (or disable it completely).

For instance, in Linux kernel the following atime optimisations are supported when mounting filesystem:

• strictatime – always update atime (no longer the default!)
• relatime (“relative atime”) – selective atime updates, usually if previous - atime is an older timestamp than ctime and mtime (see below)
• nodiratime – no access time updates for directories (files still get atime updates)
• noatime – no access time updates for anything

ctime – Last Change Time

ctime shows when your file or directory got metadata changes – typically that’s file ownership (username and/or group) and access permissions. ctime will also get updated if the file contents got changed.

mtime – Last Modification Time

Last modification time shows time of the last change to file’s contents. It does not change with owner or permission changes, and is therefore used for tracking the actual changes to data of the file itself.

INTERESTING: When a new file or directory is created, usually all three times – atime, ctime and mtime – are configured to capture the current time.

How to Use atime, ctime and mtime

Lots of common system administration tasks can be helped, if not completed, using knowledge of atime, ctime and mtime attributed:

• find files updated on a certain date
• confirm when was the last time a configuration file was changed
• find files modified in the last hour or day – very useful for finding most recently updated log files
• verify if a certain file was accessed and when – useful when debugging a script
• quickly get the list of really old files (not updated for longer than 30 days or something like that)
• confirm when the directory was updated – can suggest that temporary files were created and quickly deleted, so you don’t see the files but recognise evidence when they were still in the directory
• review a list of files to confirm when they had ownership (user/group) data updated and if this time is different from file modifications – could be useful when reviewing security breach on your Unix system

Find atime, ctime and mtime with ls

The simplest way to confirm the times associated with a file is to use ls command. Timestamps are shown when using the long-format output of ls command, ls -l:

ubuntu# ls -l /tmp/file1
-rw-r--r-- 1 greys root 9 2008-04-05 07:10 /tmp/file1

This is the default output of

ls -l, which shows you the time of the last file modification – mtime. In our example, file /tmp/file1 was last changed around 7:10am. If we want to see the last access time for this file, atime – you need to use -lu options for ls. The output will probably show some later time:

ubuntu# ls -lu /tmp/file1
-rw-r--r-- 1 greys root 9 2008-04-05 07:27 /tmp/file1

In the example, it’s 7:27am.

Lastly, ls -lc will show you the last time our file was changed, ctime:

ubuntu# ls -lc /tmp/file1
-rw-r--r-- 1 greys root 9 2008-04-05 07:31 /tmp/file1

To show you how this works, I’ll change the ownership of the file and then run the same 3 ls commands to show you that only the ctime had been updated. I run the date command just before doing anything else so that you can compare the times:

ubuntu# date
Sat Apr  5 07:35:16 IST 2008

ubuntu# chown root /tmp/file1

ubuntu# ls -lc /tmp/file1

-rw-r--r-- 1 root root 9 2008-04-05 07:35 /tmp/file1

ubuntu# ls -lu /tmp/file1

-rw-r--r-- 1 root root 9 2008-04-05 07:27 /tmp/file1

ubuntu# ls -l /tmp/file1

-rw-r--r-- 1 root root 9 2008-04-05 07:10 /tmp/file1

Show atime, ctime and mtime with stat command

In Linux distributions, you will probably find a stat command, which can be used to show all of the times in a more convenient way, and among plenty of other useful information about your file:

ubuntu# stat /tmp/file1

File: `/tmp/file1'
Size: 9             
Blocks: 8          
IO Block: 4096   
regular file
Device: 811h/2065d    
Inode: 179420      
Links: 1

Access: (0644/-rw-r--r--)  
Uid: (    0/    root)   
Gid: (    0/    root)

Access: 2008-04-05 07:27:51.000000000 +0100

Modify: 2008-04-05 07:10:14.000000000 +0100

Change: 2008-04-05 07:35:22.000000000 +0100

See Also

• mtime
• basic Unix commands
• Unix file types
• Parsing directories in Perl
• touch command in Unix
• Unix epoch and Epoch time
• Unix Commands