Home Learn Linux Linux File Timestamps: How to use atime, mtime, and ctime

Linux File Timestamps: How to use atime, mtime, and ctime

This guide aims to demystify these three timestamps, providing clear explanations of their roles and showcasing how to view and manipulate them. Understanding how atime, mtime, and ctime work can help you track your files' history better and enhance your Linux system administration skills.

by Arun Kumar
 mastering atime, mtime, and ctime in linux

It is always a joy to delve into the maze of Linux filesystem, and today, I’ve set my eyes on the world of Linux file timestamps – atime, mtime, and ctime. These timestamps are more than simple chronological markers. They tell a unique story about each file or directory. So, sit back, grab a cup of coffee, and let’s unravel this trio’s secrets.

The why and what of file timestamps

The first question you might be asking is, why are these timestamps important? The answer is simple yet profound – they are fundamental for system administration, file synchronization, backups, and debugging, to name a few. So, to manage your Linux systems effectively, a good understanding of these timestamps is paramount.

There are three types of timestamps associated with each file or directory in a Linux system:

atime or Access Time: This is the time when the file was last accessed. Whenever we read a file, its atime gets updated. Remember, it’s not just about opening the file; even commands like cat, grep, head, etc., that read the file will update this timestamp.

mtime or Modification Time: This timestamp records the last modification of the file’s content. If you change the contents of a file, the mtime changes. But remember, changing the file’s properties, such as permissions or ownership, will not affect the mtime.

ctime or Change Time: This timestamp gets updated when the file’s metadata (like permissions, ownership, etc.) changes. Any modification (content or metadata) triggers a change in ctime.

The trio in action

Let’s see these timestamps in action with an example. First, create a simple text file:

echo "This is a sample FOSSLinux text file" > FOSSLinux_Sample.txt
creating a text file in linux

Creating a text file in Linux

Next, use the ls command with -l option to view the mtime (default timestamp displayed) or with -u for atime, and -c for ctime:

ls -l FOSSLinux_Sample.txt
ls -lu FOSSLinux_Sample.txt
ls -lc FOSSLinux_Sample.txt
using ls command to view mtime, atime, and ctime

Using ls command to view mtime, atime, and ctime

Now, let’s make some changes to the file and observe the effect on the timestamps:

Access the file with cat FOSSLinux_Sample.txt. Check the atime using ls -lu, and you’ll see it’s updated.

cat FOSSLinux_Sample.txt

Modify the content with echo “Hello, Linux!” > FOSSLinux_Sample.txt. Check the mtime using ls -l, and it’s changed.

echo "Hello, Linux!" > FOSSLinux_Sample.txt
ls -l FOSSLinux_Sample.txt
ls -lu FOSSLinux_Sample.txt
ls -lc FOSSLinux_Sample.txt
modifying the text file and observing various timestamps

Modifying the text file and observing various timestamps

Change the file’s permission with chmod 755 FOSSLinux_Sample.txt. Check the ctime using ls -lc, and voila! It’s updated.

chmod 755 FOSSLinux_Sample.txt
ls -lc
modifying file permissions and checking ctime

Modifying file permissions and checking ctime

Understanding the subtleties

Even though this seems pretty straightforward, there are some nuances that we need to understand. You might have noticed that ctime changes when mtime changes, but not vice versa. That’s because any change in the file triggers ctime, while mtime only changes with content modification. So, while atime and mtime have specific triggers, ctime is the snitch of the group, letting you know whenever anything changes!

Moreover, while I enjoy the wealth of information these timestamps provide, I must say that I find the default ls command display a bit inconvenient. It shows only mtime unless you use specific options, which I find myself forgetting quite often. But that’s Linux, isn’t it? A lot of power comes with a bit of complexity.

The ‘noatime’ debate

One thing that has often sparked heated discussions among Linux enthusiasts is the ‘noatime’ option in filesystem mounting. By default, each read operation updates the atime, which can slow down the system for files that are frequently accessed but rarely modified. Some people, myself included, prefer setting ‘noatime’ in the /etc/fstab file to enhance performance, especially for SSDs where write operations have a cost.

However, some programs rely on accurate atime information, so setting ‘noatime’ could potentially lead to issues. A reasonable compromise is the ‘relatime’ option, which updates atime only if it’s older than mtime or ctime, or more than a day has passed since the last update. I tend to lean towards ‘relatime’ because it gives me a balance of performance and accurate atime.

Pro tips

Now, onto some pro tips that I’ve gathered over the years:

Tracking Unauthorized Access: Keep an eye on unexpected changes in atime. This could mean someone (or some program) accessed a file without your knowledge.

Find Files Modified Within Specific Time: Use the find command with -mtime, -atime, or -ctime to find files modified, accessed, or changed within a certain number of days, respectively. For example, to find files in the ‘/home’ directory modified within the last two days, use find /home -mtime -2.

Preserving Timestamps: To preserve timestamps while copying or moving files, use the -p option with the cp or mv commands.

Touch Command: Use the touch command to manually update timestamps. For instance, touch -a changes atime, touch -m modifies mtime, and simply touch alters both atime and time.

Applying atime, mtime, and ctime in an organization

Linux timestamps are not just a matter of theoretical understanding or personal hobbyist exploration. They bear significant practical implications, especially in an organizational context. From system administration to data management, cybersecurity to compliance, these three timestamps can play a vital role. So let’s talk about how atime, mtime, and ctime can be utilized effectively in an organization.

System Administration and Troubleshooting
System administrators often deal with numerous challenges daily, from ensuring optimal system performance to diagnosing and troubleshooting issues. Here, timestamps can come in very handy.

For example, if a system is running slow, checking the atime of files can help identify any that are frequently accessed and may be causing a bottleneck. Similarly, mtime can help identify recently modified files, which can be particularly useful when tracking changes that may have resulted in a system issue or malfunction.

Backup and Data Synchronization
In data backup processes, mtime is of paramount importance. Backup tools often use this timestamp to identify which files have changed since the last backup. Similarly, in data synchronization between different systems or servers, mtime can be used to identify and synchronize only those files that have been modified, saving significant bandwidth and processing power.

In the realm of cybersecurity, all three timestamps can provide crucial insights. atime can be used to detect unauthorized access to sensitive files, while mtime can help identify changes to critical system or configuration files that might signify a security breach. Similarly, ctime changes can alert to changes in file permissions or ownership that might have security implications.

For instance, a sudden change in the atime of a critical system file outside of a regular maintenance window might indicate a potential unauthorized access. Likewise, unexpected changes in ctime could mean alterations in file permissions or ownership, possibly indicating a security breach.

Regulatory Compliance
Many organizations operate in regulated industries where they are required to maintain and present detailed access logs. In such cases, maintaining accurate atime can be essential. For example, in a healthcare setting, keeping accurate access logs of patient data files can be crucial for compliance with regulations like HIPAA.

Project Management and Audit
From a project management perspective, mtime can be useful to track when files related to a project were last updated, providing insights into project progress. From an audit standpoint, ctime can help track changes to important documents or files and maintain a reliable audit trail.

While the usage of these timestamps in an organization can be widespread, it is also essential to note that managing them requires a fair understanding of Linux systems.


It’s quite fascinating how timestamps can tell you so much about a file’s history. They are like hidden gemstones in the vast mine of Linux, waiting to be discovered and understood. Sure, they have their quirks, but once you’ve spent some time with them, you’ll find them indispensable.

Though I’ve been a bit peeved at times with the need to remember specific ls options to view different timestamps, I’ve come to see it as an integral part of my Linux journey. It’s like mastering a complex piece of music – frustrating at times, but deeply satisfying once you get the hang of it.

You may also like

1 comment

Jason July 17, 2023 - 9:02 PM

Check out lazytime vs noatime and relatime.


Leave a Comment



FOSS Linux is a leading resource for Linux enthusiasts and professionals alike. With a focus on providing the best Linux tutorials, open-source apps, news, and reviews written by team of expert authors. FOSS Linux is the go-to source for all things Linux.

Whether you’re a beginner or an experienced user, FOSS Linux has something for everyone.

Follow Us


©2016-2023 FOSS LINUX



“Linux” is the registered trademark by Linus Torvalds in the U.S. and other countries.