Skip to main content
HashnodeInsideTech

Command Palette

Search for a command to run...

Linux File System Hunting

Published
9 min read
Linux File System Hunting
A
Abhinav
my work defines me

This blog moves past the surface level commands and dives straight into the "hunting" phase of Linux exploration. By blending the "Everything is a File" philosophy with a deep dive into the Filesystem Hierarchy Standard (FHS), we can begin to see Linux as a living, breathing architecture rather than just a black box of code.

Topics we are going to explore in this blog are mentioned below.

  • How '/etc' controls system behavior

  • Where DNS configuration lives and how it works

  • Routing table inspection through system files

  • Network interface configuration locations

  • System logs and what insights they provide

  • User management files

  • Permission structures and security implications

  • Process-related filesystem entries inside '/proc'

  • Device handling inside '/dev'

  • Boot-related configs inside '/boot'

  • Service configs inside '/systemd' or '/etc' '/systemd'

  • Environment configuration behavior

Linux

Most newcomers to Linux treat the terminal like a magic wand type a command, get a result. But as a system investigator, the real magic isn't in the command itself; it's in the files that make those commands possible. In Linux, we live by one golden rule: Everything is a file.

Whether it’s your hard drive, your keyboard, or even your RAM it is all represented as a file within a unified tree structure starting at the Root (/). Unlike Windows, which partitions its world into drive letters (C:, D:), Linux creates a single, seamless hierarchy.

The Root (/) vs. /root: The Starting Point

  • What it does: / is the trunk of the entire system tree. /root is a specific subdirectory inside that tree.

  • Why it exists: / provides the structure for the whole OS. /root exists as the private home folder for the Root User (the system administrator).

  • What problem it solves: It isolates administrative files from regular users. While regular users live in /home, the administrator stays in /root to ensure that even if the /home partition fails or is unmounted, the admin can still log in and fix the system.

  • The Insight: I learned that while / is the "Global Start," /root is the "Admin’s Bunker." They are separated for security and stability.

  • Investigator Cmd: ls -F / — The -F flag adds a trailing slash to directories, helping you distinguish the "trunk" from its branches immediately.

/bin & /sbin: The Essential Binaries

  • What it does: These folders store compiled programs (binaries). /bin contains tools for everyone (like ls, cat), while /sbincontains "System Binaries" (like fdisk, reboot).

  • Why it exists: To separate everyday utilities from powerful system-altering tools.

  • What problem it solves: It creates a "recovery" layer. These folders are designed to be available even if the system is in "Single User Mode" or if other parts of the disk are corrupted.

  • The Insight: Use the command which ls to find its path. You’ll see it lives in /bin. If you delete the ls file, the command literally ceases to exist. Programs aren't magic; they are just files you execute.

  • Investigator Cmd: which ls and file /bin/ls. The first tells you where the command lives; the second proves it’s a "shared object" or executable file, not magic code.

/etc: The Editable Text Configuration

  • What it does: The "Registry" of Linux. It contains plain text configuration files that control system-wide behavior.

  • Why it exists: Linux values human readability. Instead of a binary database, it uses text files like /etc/passwd (user info) or /etc/fstab (disk mounting).

  • What problem it solves: Extreme portability and transparency. You can configure an entire server just by editing a text file, making it easy to backup and migrate.

  • The Insight: The name originally meant "et cetera," but "Editable Text Configuration" is a much better way to remember it. It is the first place an investigator looks when a service is misbehaving.

  • Investigator Cmd: cat /etc/os-release. This tells you exactly what distribution and version of Linux you are running by reading a simple text file.

/dev: The Hardware Interface

  • What it does: Contains "Device Files" that represent your hardware.

  • Why it exists: Because "everything is a file," the kernel needs a way to let software "talk" to hardware using standard file operations.

  • What problem it solves: It abstracts hardware. A developer doesn't need to know the physics of a hard drive; they just write data to /dev/sda, and the kernel handles the rest.

  • The Insight: Hardware is dynamic. When you plug in a USB, a new file magically appears here. /dev/null is a "black hole" device anything you send there disappears forever.

  • Investigator Cmd: lsblk. This command maps the physical blocks of your drive to the files in /dev/sdX or /dev/nvmeX, showing you the bridge between physical gear and the filesystem.

/proc: The Virtual Mirror

  • What it does: A Pseudo Filesystem that acts as a real-time window into the Linux Kernel and running processes.

  • Why it exists: It provides a way for users to "interrogate" the kernel using standard tools like cat.

  • What problem it solves: It allows for real time monitoring without needing complex debugging tools. Want to see your RAM usage? Read /proc/meminfo.

  • The Insight: These files have a size of 0 bytes on the disk because they don't actually exist. They are generated "on the fly" by the kernel when you try to read them.

  • Investigator Cmd: cat /proc/meminfo. This isn't reading a file on your disk; it's reading the Kernel's current data regarding your RAM usage in real time.

/lib: The Shared Knowledge Base

  • What it does: Stores shared libraries (similar to .dll files in Windows) that programs in /bin and /sbin need to run.

  • Why it exists: To save space. Instead of every program including the code for "how to print text," they all just "borrow" that code from a central library in /lib.

  • What problem it solves: Efficient memory usage and easier updates. Update a library once in /lib, and every program using it is instantly patched.

  • The Insight: Tampering with this folder is the fastest way to break your system. If the libraries disappear, even basic commands like ls will stop working.

  • Investigator Cmd: ldd /bin/ls. This command lists all the libraries in /lib that the ls command depends on to function.

/usr: Unix System Resources

  • What it does: Despite looking like "User," it stands for Unix System Resources. It contains the majority of user-space applications, libraries, and docs.

  • Why it exists: To separate the "Core OS" (needed for booting) from "User Applications" (browsers, office suites, etc.).

  • What problem it solves: It allows the root partition to stay small and focused on booting, while the massive /usr directory can be stored on a separate, larger disk.

  • The Insight: It mirrors the root structure (/usr/bin, /usr/lib). It’s like a "System 2.0" for non-essential software.

  • Investigator Cmd: du -sh /usr. This shows you the total disk usage of your applications, usually the largest part of a Linux system.

/var & /tmp: The Temporary Workers

  • What it does: /var stores "Variable" data that grows (logs, databases). /tmp stores temporary files created by apps during a session.

  • Why it exists: To isolate files that are constantly being written to, preventing them from filling up the main system partition.

  • What problem it solves: /tmp uses a Sticky Bit permission. This means anyone can write there, but you can only delete files you own. This prevents users from sabotaging each other.

  • The Insight: /var/log is a detective's best friend. Every error, login attempt, and system event is recorded here in plain text.

  • Investigator Cmd: ls -ld /tmp. Notice the t at the end of the permissions (drwxrwxrwt). This is the "Sticky Bit," ensuring only the owner of a file can delete it from this public folder.

/media & /mnt: The Gateways

  • What it does: Directories used to "mount" or connect external filesystems.

  • Why it exists: /media is for automatic mounts (USB sticks, CDs) handled by the OS. /mnt is for manual mounts performed by the administrator.

  • What problem it solves: It provides a predictable location to find external data. Instead of looking for an "E: Drive," you just go to /media/usb-drive.

  • The Insight: If you plug in a drive and it doesn't show up in your file manager, it usually means the hardware is in /dev, but it hasn't been "mounted" to a folder in /media yet.

  • Investigator Cmd: mount | column -t. This shows you exactly which physical device files from /dev are currently "plugged into" which folders in /media or /mnt.

/boot: The Ignition Switch

  • What it does: Contains the Linux Kernel and the bootloader (GRUB) configurations.

  • Why it exists: The computer needs a "starting point" to load the OS into RAM.

  • What problem it solves: It keeps the "starter motor" of the OS in one safe place.

  • The Insight: One of the most important files here is vmlinuzthe actual compressed Linux kernel. If this file is missing, your computer is just a very expensive paperweight.

  • Investigator Cmd: ls -lh /boot. Look for the vmlinuz file. That is the actual compressed Linux kernel the heart of the operating system.

Conclusion

Hunting through the Linux filesystem reveals a system designed for stability and transparency. Every folder has a "why" behind it, and every file tells a story. Understanding this hierarchy is the difference between being a passenger and being the driver of your operating system.

#linux#linux-file-system
37 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

InsideTech

34 posts

Just Learning and shareing the knowlege.