Subject: Re: Timezone for /etc/security
To: Hubert Feyrer <>
From: Curt Sampson <>
List: tech-userlevel
Date: 10/01/2001 21:09:42
On Mon, 1 Oct 2001, Hubert Feyrer wrote:

> I'm not sure this doesn't raise confusion: e.g. if I know I changed some
> file at a certain time, then /etc/security tells me a different time.
> How about unsettting TZ ("unset TZ"), instead of setting it to UTC?

I thought about that. But it seems to me even worse that if you change
the timezone you get spurious messages that everything has changed. In
fact, it opens up a route for an attack: substitute a file and remove
/etc/localtime. It will be obvious that that link got removed somehow,
but won't be at all obvious that someone's poking about changing setuid
files, which is much more likely to raise an alarm.

And it seems to me "less clean" in that the TZ is a setting for how a
user prefers to view things at a particular moment, not a setting for
how we should store information. It's all the worse since that time
zone itself is never stored, so you don't know, except by guessing,
what the setting of TZ was on the last run or any run before that.

(One might also argue that storing ls(1) output is sub-optimal, and that
something like mtree or tripwire should be doing this, but that's a more
difficult problem to fix and brings along its own complexities.)

Curt Sampson  <>   +81 3 5778 0123
    Don't you know, in this new Dark Age, we're all light.  --XTC