I didn’t know about the Linux ‘chattr‘ command which allows you to display and set file attributes. Using this, I learnt a neat trick on how to make a file immutable, even by the root user.
To make a file immutable, do:
chattr +i <filename>
To remove the immutable attribute, do:
chattr -i <filename>
To list the current file attributes, do:
It’s that simple 😎
This will change only the ctime for the file, and not its mtime. (details here: ctime vs mtime). Another interesting thing, in th Raspberry Pi context, is the atime file information. Essentially, atime should reflect the last time a file has been accessed. However, this is not very useful and only serves to increase the number of writes to a partition, every time a file is accessed. This is a dampener for performance esp. in embedded systems. Hence, on the Raspberry Pi, we mount partitions with the “noatime” attribute within fstab.
In Linux, the file creation time didn’t exist until the ext4 filesystem appeared. ctime originally did mean creation time, but it always reflected the time when a file’s metadata was changed (attributes, permissions, etc). With ext4, the creation time was stored in the file’s inode, under the field ‘crtime’. In order to get a file’s creation time we need to lookup the file’s inode, and the use stat and debugfs to find the required field. debugfs is required since there still doesn’t exist any kernel API to get crtime from stat. (birth time)
ls -i <filename>
debugfs -R 'stat <inode_number>' /dev/sdNN
(replace sdNN with the actual path to the device where the file resides). Look the the ‘crtime‘ field in the output.