[BBLISA] Does read only really mean it?

John P. Rouillard rouilj at cs.umb.edu
Thu Dec 5 16:48:44 EST 2013


In message
<CAJFsZ=oBBwr7n_1BcJBO2e-DHJrQWp8mxGEU4tADmBkWz1Bdfw at mail.gmail.com> ,
Bill Bogstad writes:
>On Thu, Dec 5, 2013 at 10:03 AM, Edward Ned Harvey (bblisa4)
><bblisa4 at nedharvey.com> wrote:
>>> From: bblisa-bounces at bblisa.org [mailto:bblisa-bounces at bblisa.org] On
>>> Behalf Of Alex Aminoff
>>>
>>> Nevertheless, I tested it and unless I messed up my test, an NFS mount
>>> with -o ro, you read a file on the mounted FS, and the access time is
>>> updated.
>>
>> Oh - that could explain it right there -
>>
>> I think the client isn't the one doing the update.  I think your
>> server is updating the last access time on the file, because the
>> server served the file to the client.  The server doesn't
>> necessarily know you mounted read-only
>
>That makes a lot of sense.   Alex doesn't say what version of the NFS
>protocol he is using, but a quick check of the RFC for the MOUNT
>protocol for NFSv3 (see page 105 for mount protocol
>http://www.ietf.org/rfc/rfc1813.txt) doesn't seem to give a way for a
>client to indicate that it wants to mount a filesystem as readonly.
>Maybe someone who is more familiar with the NFS protocol can confirm
>this.

That is my understanding as well.

Also mounting a filesystem ro IIRC used to change some metadata in the
filesystem. Maybe last mount time, number of times mounted
... depending on the FS type.

I know from forensics work there can be a bunch of things that will
change the filesystem/disk state. Hence most forensics people:

  1) use a hardware rig that will NOT issue write commands to the
     source disk to copy the source disk to a disk they will use
     for investigation.
  2) use tools that are designed to not mess up the filesystem in the
     investigation disk.

I.E. they don't consider ro mode sufficient to not change the state of
the disk.

--
				-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.



More information about the bblisa mailing list