Why does a file's Inode number change and nothing else?

Question

Today I noticed that tripwire thinks that some Apache configuration files changed yesterday. I know I did not make any changes to those files.

Looking at the info, it shows that only the Inode number changed:

  Property:            Expected                    Observed
  -------------        -----------                 -----------
  Object Type          Regular File                Regular File
  Device Number        2305                        2305
* Inode Number         5770048                     5771399
  Mode                 -rw-r--r--                  -rw-r--r--
  Num Links            1                           1
  UID                  root (0)                    root (0)
  GID                  root (0)                    root (0)
  Size                 1055                        1055
  Modify Time          Mon 09 Oct 2017 04:54:54 PM PDT
                                               Mon 09 Oct 2017 04:54:54 PM PDT
  Blocks               8                           8
  CRC32                BSW2x+                      BSW2x+
  MD5                  CqXESieHTV/33Ye6iuaHjk      CqXESieHTV/33Ye6iuaHjk

How could the Inode of a file change and nothing else?

The `ctime` would have changed too if the file was modified using the usual system calls. — ilkkachu, Jun 13 '19 at 20:14
@ilkkachu Yes! However, it looks like tripwire only shows `mtime`. So it could be that `ctime` and `atime` changed. — Alexis Wilke, Jun 14 '19 at 00:23

Jeff Schaller · Accepted Answer · 2019-06-13T18:38:30.577

3

One way:

cp -p file file.new && mv file.new file

For example:

$ ls -li file
12289 -rw-r--r--    1 jeff jeff 0 Jun 13 14:24 file
$ cp -p file file.new && mv file.new file
$ ls -li file
12292 -rw-r--r--    1 jeff jeff 0 Jun 13 14:24 file

Another possibility would be that the file was restored from a backup system (and that backup system restored timestamps).

Another activity that would update the inode number and not touch the contents would be a sed -i command that made no changes, since sed -i use a temporary file for the results which is then renamed to the original at the end.

edited Jun 13 '19 at 18:38

answered Jun 13 '19 at 18:26

Jeff Schaller

66,199
35
114
250

The only thing I've done which I can think of would possibly have had an impact is upgrade the OS (`apt-get dist-upgrade`). I don't see why they would have moved the file in this way, except that there could be a process which verified that a certain parameter was not used and that updated the files without changes inside the file since I would not have been using that parameter... An `sed` that would preserve the Inode info... – Alexis Wilke Jun 13 '19 at 18:35
2

@Alexis, a noop `sed -i` command would do it, too (see the edit) – Jeff Schaller Jun 13 '19 at 18:38
Ah! Got it! The tripwire test does not include `ctime` and `atime` which explains why it would not detect that those changed too. It would have helped to have that important point in your answer! :-) – Alexis Wilke Jun 14 '19 at 00:24
I didn't have that information when I answered, so if you would like to add that as an edit, I'd accept it (if it's not approved before I see it). – Jeff Schaller Jun 14 '19 at 00:35
Well, the output I show only includes a line for _Modify Time_. The other two times are not included. So it was there, just not obvious. :-) – Alexis Wilke Jun 14 '19 at 01:16

Why does a file's Inode number change and nothing else?

1 Answers1