Skip to main content
HashnodeCohort-blog

Command Palette

Search for a command to run...

Linux File System Hunting

Linux File System Hunting: Exploring How Linux Works Under the Hood

Updated
10 min read
Linux File System Hunting
K
Kishan Gupta

when most developers start using Linux, they interact with simple commands like ls, cd, or mkdir. But Linux is far more powerful than that. It exposes almost its entire internal behavior through its file system

During my linux file system exploration, I discovered something fascinating:

Linux does not hide its system logic behind invisible layers. Instead, it stores system behavior inside readable files and directories.

This blog documents tell how Linux manages configuration, networking, processes, user, services, logs, permissions, and devices through its file structure.

Instead of learning commands, I explored how Linux actually works internally.

How /etc controls system behavior

In Linux, /etc is a central directory located in the root directory that houses system-wide configuration files. It acts as the "nerve center" or brain of the operating system, defining how the system and its various services behave.

Example discoveries inside /etc.

  • /etc/hostname → defines system name

  • /etc/hosts: Maps IP addresses to hostnames, used for local network resolution

  • /etc/apt/ (on Debian/Ubuntu): Holds configuration for the APT package manager, including software repository lists.

  • /etc/passwd: Contains basic information for all user accounts on the system.

  • /etc/shadow: Stores encrypted passwords securely.

  • /etc/fstab: A table of file systems that tells the system where and how to mount disk partitions.

  • /etc/ssh/: Contains configuration files for the SSH server and client.

Why /etc exists

It centralizes system-wide configuration so administrators can:

  • modify behavior quickly

  • debug issues easily

  • automate setup script

  • manage servers remotely

What problem it solves

Instead of hiding system settings inside binary registries. Linux stores them in readable text files that making configuration transparent and scriptable.

Insight I learned

Changing just one file inside /etc can modify network behavior, boot process, authentication system, or environment variables. That’s how powerful this directory is.

/proc — The Live Window Into the Running Kernel

The /proc directory is not a normal directory. It is a virtual filesystem created dynamically by the kernel.

It shows real-time system information.
for example:

/proc/cpuinfo
/proc/meminfo
/proc/uptime
/proc/[PID]/

These files do not exist on disk they exist in memory.

Key Characteristics of /proc:

  • Virtual Nature: Files and directories in /proc do not exist on the hard drive. they are created on-the-fly when accessed, showing real-time data.

  • Zero Size: Most files in /proc appear to have zero of 0 bytes, yet reading them yield text describing system statistics.

  • Live Monitoring: It Provides instant visibility into kernel activity and performance monitoring, allowing tool like top, ps and free to gather data without needing complex, sloe kernel function calls.

Structure and Content

The /proc directory contains two main types of information: system-wide information and process-specific data.

  1. Process Directories (PID): The /proc directory contains numbered directories (e.g., /proc/1234/) for every process running on the system, named by their Process ID (PID).
    /proc/self/: A special directory that allows a program to easily find its own process information.

  2. System Information Files:

    1. /proc/cpuinfo: Detailed information about the CPU.

    2. /proc/meminfo: Memory usage statistics (used by free).

    3. /proc/loadavg: System load average.

    4. /proc/uptime: Total system uptime.

    5. /proc/modules: Currently loaded kernel modules (used by lsmod).

    6. /proc/filesystems: Filesystems supported by the kernel.

Why /proc exists

It provides a structured way to observe:

  • Running processes

  • hardware usgae

  • kernel parameters

  • system performance

without needing special monitoring tools.

What problem it solves

It solves the problem of needing a standardized, human-readable way to monitor, debug, and configure the kernel and running processes without requiring specialized system calls or direct memory access.

  1. Visibility into Running Processes
    Instead of needing complex diagnostic tools to look into RAM for process data, /proc maps every running process to a directory named by its Process ID (PID).

    Problem Solved: How to check memory usage, environment variables, or command-line arguments of a specific process.
    Solution: /proc/[PID]/status, /proc/[PID]/cmdline, /proc/[PID]/environ.

  2. Real-time System Monitoring
    The kernel holds immense amounts of data about hardware state, network usage, and memory usage, but this is usually locked away in kernel space.

    Problem Solved: Accessing system statistics (CPU, memory, uptime) dynamically without rebooting or using heavy profiling tools.
    Solution: Files like /proc/meminfo, /proc/cpuinfo, and /proc/loadavg present this data in real-time.

  3. Dynamic Kernel Configuration
    Traditionally, changing kernel settings required recompiling the kernel or rebooting.

    Problem Solved: Tuning system performance parameters at runtime (e.g., enabling packet forwarding, increasing max open files).
    Solution: The /proc/sys directory acts as a writable interface to kernel configuration parameters (often used via the sysctl command).

  4. Debugging and Forensics
    When systems hang or processes misbehave, administrators need to know what the program was doing just before the failure.

    Problem Solved: Investigating process file handles or retrieving deleted files that are still held open by a process.
    Solution: /proc/[PID]/fd lists opened file descriptors, allowing administrators to see which files a process is using and recover deleted data.

Device handling inside /dev

One of the most surprising discoveries was that Linux represents hardware devices as files inside /dev.

/dev/sda
/dev/tty
/dev/null
/dev/random

Even storage drives appear here.

Why /dev exists
Linux follows a design philosophy

Treat everything like a file.

So instead of handling hardware differently, Linux lets programs interact with devices using normal file operations.

What problem it solves

  1. hardware communication

  2. scripting

  3. driver integration

  4. system automation

Programs don’t need special hardware logic they just read or write files.

Insight I learned
Even /dev/null is a device file that discards all input. It’s commonly used in scripting to suppress output.

Example idea: Redirect unwanted logs into /dev/null and they disappear instantly.

The /boot directory in Linux contains the essential files needed to start the operating system, including the kernel, bootloader configuration, and initial RAM disk.

Typical contents include:

  • grub/ or grub2/ (Directory): Contains the main bootloader configuration file, usually grub.cfg. This dictates the OS selection menu, kernel parameters, and boot order.

  • vmlinuz-* (File): The compressed Linux kernel image. This is the core of the operating system that gets loaded into memory.

  • initrd.img-* or initramfs-* (File): The Initial RAM Disk. A temporary root file system loaded into memory to support the kernel before the actual hard drive is mounted.

  • System.map-* (File): A symbol table used by the kernel for debugging and memory management.

  • config-* (File): Contains the configuration parameters used to compile the specific version of the kernel currently in /boot.

Why /boot exists
Before the operating system starts, the system must:

  1. load kernel

  2. initialize memory

  3. detect hardware

  4. mount root filesystem

What problem it solves
The /boot directory solves the problem of loading the operating system kernel.

Key Problems it Solves:
Separation: Keeps essential startup files safe from corruption or accidental deletion within the main system partition.
Compatibility: Ensures the BIOS/UEFI can easily find the bootloader without needing to understand complex file systems.
Multibooting: Allows a computer to hold multiple operating systems by having a dedicated space for each, or a shared space for boot management.

Insight I learned
If /boot becomes corrupted, Linux cannot start — even if the rest of the system is intact.
So /boot acts like the launchpad of the operating system.

/var/log — The Storybook of System Events

The /var/log directory stores logs generated by the system and services.

/var/log/syslog
/var/log/auth.log
/var/log/kern.log

These logs record system activity continuously.

Why /var/log exists
Every operating system needs a way to track:
errors

  • login attempts

  • service activity

  • crashes

  • hardware issues

Logs make troubleshooting possible.

What problem it solves
Without logs, diagnosing problems would be guesswork.
System administrators rely heavily on logs to detect:

  • security attacks

  • failed services

  • misconfigurations

Insight I learned
Even failed login attempts are recorded here meaning logs act as a security monitoring system as well.

/etc/resolv.conf — How Linux Finds Websites on the Internet

This file defines DNS servers used by the system.

nameserver 8.8.8.8

It tells Linux where to send domain lookup requests.

Why it exists
Humans use domain names like:

google.com

But computers communicate using IP addresses. DNS translates between them.

What problem it solves
Without DNS configuration, Linux cannot resolve website names only raw IP addresses would work.

Insight I learned
Changing /etc/resolv.conf changes how the entire system resolves internet addresses instantly.

This means DNS behavior is fully configurable at the filesystem level.

/etc/passwd and /etc/shadow — The Identity System of Linux

User information is stored inside:

/etc/passwd
/etc/shadow

/etc/passwd stores: username ,user ID, home directory, shell type.

/etc/shadow stores encrypted passwords.

Why these files exist
Linux separates identity information from password security.
so this improves system protection.

What problem it solves
If passwords were stored inside /etc/passwd, any user could read them.

Instead:

  • /etc/passwd is readable

  • /etc/shadow is restricted

This improves authentication safety.

Insight I learned
Linux security is implemented using simple file permission design not hidden authentication engines.
That’s elegant engineering.

/etc/fstab — Automatic Disk Mounting Configuration

This file defines how storage devices are mounted during system startup.
Example entries include:

UUID=xxxx / ext4 defaults 0 1

Why it exists
Instead of manually mounting disks every time Linux starts, the system reads instructions from /etc/fstab.

What problem it solves
Automates storage setup during boot.
This is critical for:

  • servers

  • databases

  • cloud systems

  • external drives

Insight I learned
Incorrect entries inside /etc/fstab can prevent Linux from booting properly showing how powerful configuration files can be.

/proc/net/route — Understanding the Routing Table

This file contains routing information used by the kernel. It determines where outgoing packets go.

Why it exists
When Linux sends network data, it must decide: "Which interface to use"

What problem it solves
Ensures correct packet delivery across networks.
Without routing configuration: Internet communication would fail.

Insight I learned
Networking tools like route and ip route actually read kernel routing data from here.
So again, Linux exposes networking logic through filesystem interfaces.

/etc/systemd — Controlling Background Services

Modern Linux systems use systemd to manage services.
Configuration files exist inside:

/etc/systemd/

They define:

  • startup services

  • background daemons

  • dependencies

  • execution order

Why it exists
Operating systems run many background services like:

  • networking

  • logging

  • scheduling

  • authentication

systemd manages them efficiently.

What problem it solves
Instead of manually starting services after boot, systemd automates service lifecycle management.

Insight I learned
Linux startup is not random it’s carefully orchestrated through structured service definitions.
This makes Linux predictable and scalable.

Final Reflection: What This Exploration Changed for Me

Before this exploration, I thought Linux directories were just storage locations.

Now I understand:

They are interfaces to the operating system itself.

Through the Linux filesystem, I explored:

  • process internals

  • networking configuration

  • DNS behavior

  • authentication systems

  • service orchestration

  • kernel communication

  • hardware abstraction

This experience showed me that Linux is not just an operating system.

It is a transparent, inspectable, and controllable environment designed for engineers.

And once you understand its filesystem structure, you’re no longer just a user of Linux — you start thinking like a system investigator.

#chaicode#linux#file-system

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Cohort-blog

3 posts