xfs
[Top] [All Lists]

Re: [PATCH] xfsrestore: use utimensat() to provide atime/mtime with ns r

To: Brian Foster <bfoster@xxxxxxxxxx>,Dave Chinner <david@xxxxxxxxxxxxx>
Subject: Re: [PATCH] xfsrestore: use utimensat() to provide atime/mtime with ns resolution
From: Greg Freemyer <greg.freemyer@xxxxxxxxx>
Date: Fri, 05 Sep 2014 07:19:29 -0400
Cc: Eric Sandeen <sandeen@xxxxxxxxxxx>,xfs@xxxxxxxxxxx
Delivered-to: xfs@xxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=user-agent:in-reply-to:references:mime-version :content-transfer-encoding:content-type:subject:from:date:to:cc :message-id; bh=Nq5x1wX3+z4pJTTiM4O/97qq8Sf+wcjFUAFSO0Gsa1o=; b=X3T/bP67ljXIxMZINYG3oJp38f1HTCnF7MDRGtST9q4UTky/LGjH3EOszRA9WTXsc7 /xEjXGSqBs9S5pyHNGoD0q8Jx0imX0+3V2xfKiNuOKv7lHCkSSU1juYWMv1khUaiqedw U5j0m+q8uLvzstP83ISegu/qZr4RiOdccOL0JpchOSeLfO3QSXA1Y5CgijH/c/oktgvQ RxqKatKPUoeqqruLhISZPaGFjnyveGGKZYPjbUs2Bp3P/w7Tz8rFKxjvI/MGlW8EuFg6 EGDMFVgjkbcc+qIStkCLYvyg5azg9/FRISmNSbwyao/tdrUWTRQbCZh6/wzBZLKl0Onj gsug==
In-reply-to: <20140905110211.GA3208@xxxxxxxxxxxxxx>
References: <1409848708-42666-1-git-send-email-bfoster@xxxxxxxxxx> <20140905004501.GU20518@dastard> <54090C33.2060102@xxxxxxxxxxx> <20140905012404.GV20518@dastard> <20140905110211.GA3208@xxxxxxxxxxxxxx>
User-agent: K-9 Mail for Android

On September 5, 2014 7:02:12 AM EDT, Brian Foster <bfoster@xxxxxxxxxx> wrote:
>On Fri, Sep 05, 2014 at 11:24:04AM +1000, Dave Chinner wrote:
>> On Thu, Sep 04, 2014 at 08:04:51PM -0500, Eric Sandeen wrote:
>> > On 9/4/14, 7:45 PM, Dave Chinner wrote:
>> > >On Thu, Sep 04, 2014 at 12:38:28PM -0400, Brian Foster wrote:
>> > >>xfsdump encodes and stores the full atime and mtime for each file
>with
>> > >>nanosecond resolution. xfsrestore uses utime() to set the times
>of each
>> > >>file that is restored. The latter supports resolution of 1
>second, thus
>> > >>sub-second timestamp data is lost on restore.
>> > >
>> > >That doesn't seem like a big deal. What sort of problems does this
>> > >actually cause?
>> > >
>> > >FYI, many linux filesystems only have second resolution timestamps
>> > >and hence applications can't rely on sub-second timestamp
>resolution
>> > >to actually mean anything useful....
>> > 
>> > But why not restore the same resolution as is actually stored in
>the dump?
>> > Throwing it away seems odd, and restoring it looks easy enough.
>> 
>> Comes from a time when we couldn't restore what was in the dump. :/
>> 
>> > In any case, there was a user who noticed & complained.  Seems like
>a
>> > very reasonable thing to fix, to me.
>> 
>> Sure, but we don't make changes with the justification "just
>> because". xfsrestore has had this behaviour since dump/restore was
>> first introduced, so first we need to understand what the actual
>> problem is. Was the user complaining because they noticed they were
>> "different" in passing, or was it noticed because the difference is
>> the root cause of some other problem?
>> 
>
>No problems that I'm aware of. As Eric mentioned, it was noticed during
>an evaluation of possible data transfer mechanisms for a glusterfs
>setup. The user had to evaluate whether it would lead to any issues (a
>geo-replication tracking thing I suspect) for a customer, but I hadn't
>heard anything that suggested it was. The utime() call appears to be
>obsolete as well, for whatever that's worth.
>
>Brian

During forensic exams, detailed examination of timestamps can be useful.  For 
instance I saw a report recently that timestamps with only milliseconds 
precision (xxx.yyy00000) are an indication that malware has overridden the 
timestamp.  

It seems that the Windows api in particular has a time set mechanism that 
supports millisecond precision only.  Thus xfs backing a samba share would I 
assume share that same forensic detail.

The average breach is not detected until months after the initial penetration, 
so a xfsrestore between the activity of interest and the time of the 
investigation is very much a possibility.

I don't know if you care about that use case.

Greg
-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

<Prev in Thread] Current Thread [Next in Thread>