Linux File System

here in this blog, I will be covering some unknown (not so common) commands of the linux operating system.

Linux file system is a structured way of storing or organizing data on a linux system. Basically it arranges the files in hierarchical manner starting from the root directory ( ' / ' ) .

• All the files and directories in linux originate from a single root directory '/ ' .

• It follows the hierarchical structure , which looks something like this

  

Linux file system architecture is organized into three important layers

1. Logical File System - it acts as the interface between the user application and the file system, and also handles key operations like open, close , read and write , along with that it also provide the security checks such as permission and file access control.

2. Virtual File System (VFS) - allows linux to use multiple file system types at the same time, acts as an abstraction layer , hiding the internal complexities of each file system.

3. Physical File System - it directly interacts with the hardware and disk storage, responsible for writing data to the disk and retrieving it efficiently. it also ensures reliable storage, error handling and low-level data management.

Now let's explore major directories

/etc

it stands for editable text configuration, and it is where linux stores almost every decision about how your system behaves. unlike windows where settings live in binary registry , Linux put them in plain text files you can read and edit accordingly.

the most interesting thing here is that etc is not just configuration , it is a policy

For example:

/etc/passwd — Not passwords (despite the name). It stores user accounts in a colon-separated format:

root:x:0:0:root:/root:/bin/bash

The x means the actual password hash was moved to /etc/shadow (which only root can read). The last field — /bin/bash — is the default shell. Change it to /sbin/nologin and the user can no longer interactively log in. That single field controls access without touching any firewall rule.

/proc

for routing table inspection , you dont need ip route to see your routing table , it's already exposed as a file

cat /proc/net/route

output :

here 0101A8C0 is decoded as 192.168.1.1 (default gateway) and the Flag column 003 means the route is Up and is a Gateway route

/proc/net is also capable to give the following information

1. /proc/net/tcp - gives every active TCP connection, with local/remote address port in hex

2. /proc/net/arp - gives your ARP cache (IP - MAC mappings)

3. /proc/net/dev - gives what ipconfig reads internally (per interface packet counter)

4. /proc/net/if_inet6 - IPV6 interface address

/sys

While /etc configures what should happen, /sys/class/net/ shows what is actually happening right now:

/sys/class/net/eth0/speed          → link speed in Mbps
/sys/class/net/eth0/operstate      → "up" or "down"
/sys/class/net/eth0/address        → MAC address
/sys/class/net/eth0/mtu            → current MTU
/sys/class/net/eth0/statistics/    → live byte/packet counters

Unlike /proc, which is process-oriented, /sys is hardware and device oriented. It reflects the kernel's model of your hardware.

/var/log

it is used to show the system logs

• syslog / messages — general system activity

• auth.log — every login attempt, sudo usage, SSH session

• kern.log — kernel messages (hardware errors, driver issues)

• dmesg — boot-time kernel ring buffer

/dev

it shows that everything is a file in Linux , including the hardware also

• /dev/sda — your first SATA disk. dd if=/dev/sda of=backup.img creates a byte-for-byte disk image

• /dev/null — the void. Anything written here disappears

• /dev/zero — produces infinite zero bytes when read

• /dev/random and /dev/urandom — kernel entropy sources. cat /dev/urandom | head -c 16 | xxd generates raw random bytes

• /dev/stdin, /dev/stdout, /dev/stderr — your current terminal's I/O as files

• /dev/tty — the controlling terminal of the current process

/boot

it contains the file that exists before the real linux starts

• vmlinuz — the compressed Linux kernel binary

• initrd.img — initial RAM disk, a tiny temporary filesystem the kernel mounts first to load drivers

• grub/grub.cfg — the bootloader config (auto-generated — editing it directly is discouraged; edit /etc/default/grub instead)

Now let's learn some unknown (not so common commands)

1. For Navigations

   1. namei - walks every component of a path and prints its type (dir, symlink, file), suggested while debugging symlink chains or permission issues.

      namei -l /usr/bin/python3 // here -l shows permissions ar=t each steps
      

   2. xargs -I{} - passes pipes input as argument to another command replaving {} with each item. The -I flag is the underused half of xargs issues.

      find . -name '*.log' | xargs -I{} mv {} /tmp/logs/
      

   3. find -newer - find files modifieed more recently than a reference file , great for tracking what changed after installing a package issues.

      find /etc -newer /etc/passwd -type f
      

2. Disk

   1. lsblk - list all the block devices (disk, partitions, loops) in a clean tree . much more redable than fdisk -l for a quick overview.

      lsblk -o NAME,SIZE,TYPE,MOUNTPOINT
      

   2. findmnt - list all the mounted filesystems as a tree and also let's you find what's mounted at a specific path.

      findmnt --real
      findmnt /home
      

   3. blkid - prints UUID , filesystem type and label of every block device. Much quicker than digging through /dev/disk/by-uuid manually.

      blkid /dev/sda1
      

3. Metadata

   1. stat - Prints full file metadata: inode number, permissions in octal, link count, atime/mtime/ctime, and block size. Far more detail than ls -l.

      stat /etc/passwd
      

   2. file - Detects actual file type by reading magic bytes not by extension. Useful when you find a mystery file with no extension.

      file mystery_binary
      file -i image.jpg  # MIME type
      

4. Links

   1. readlink -f - Resolves a symlink all the way to the final real path following every hop. No more manual chain-tracing.

      readlink -f /usr/bin/python
      

5. Permissions

   1. getfattr / setfattr - read and write extended attributes on files. arbitrary key-value metadata stored at the filesystem level, separate from the file content.

      setfattr -n user.comment -v 'reviewed' file.txt
      getfattr -n user.comment file.txt
      

   2. attr -l - list all the extended attributes on a file. works on ext4, xfs and btrfs.

      attr -l /etc/passwd
      

Hope you lke this blog ❤️